CORS filter sets the access-control-expose-headers header even when the origin is not allowed

[zhaohuabing]

Title: CORS filter sets the access-control-expose-headers header even when the origin is not allowed

It appears that this issue stems from #33051.

The is_cors_request_ variable is now being set to true when origin_allowed is false.

Previously, in the code prior to this PR, is_cors_request_ was set to false when origin_allowed was false.

Is this behavior expected, or is it a bug?

[htuch]

@wbpcode @daixiang0

[arkodg]

cc @cpakulski

[cpakulski]

When does it happen? When the non-matching request is forwarded upstream?

[cpakulski]

I am investigating it.

[cpakulski]

I think that the fact that headers were not added for not matching requests was side effect, not intended action. Anyways, I fixed it to bring back previous behaviour and added unit test to enforce that logic.