Use structured fields for CORS headers #1216
Description
Private Network Access is considering using structured fields for the new Access-Control-Allow-Private-Network header in WICG/private-network-access#45. This header should be kept consistent with the existing Access-Control-Allow-Credentials header defined by the CORS protocol, since they both accept a single value: "true".
It would be nice to modernize the existing ABNF-defined CORS header syntax to use structured fields instead.
To avoid backwards-incompatibility, the Allow-Credentials header in particular should probably be defined as a token instead of a boolean, which is unfortunate but surmountable.
It is less clear what to do with the Access-Control-{Request,Allow}-{Method,Headers} headers. Their syntax might be subtly different from that expected by structured fields' "list of tokens" type?