Firebase Storage should allow access-control-allow-credentials: true

[LeadDreamer]

Allow access-control-allow-credentials: true on Storage

• Firebase Firestore server does respond with header access-control-allow-credentials: true, which allows secure access by Security Rules.
• Firebase Storage does not respond with access-control-allow-credentials: true (indeed, it doesn't include the header at all).

As such, Firebase Storage items must be fetched with an authorization: header in the request, with the value of `Firebase ${JWT}` , where the JWT can be retrieved from auth.getIdToken().

The problem is browsers do not allow such headers to be added to <img> tags. The work-around is to set an error handler for when the <img> fetch fails and use an out-of-band fetch WITH headers and substitute a URL.createObjectURL(blob) for the img src.

See issue #5342 for a code solution.

PROPOSED SOLUTION

and background-image can both be assigned a crossOrigin="use-credentials" property. If Storage responded with "access-control-allow-credentials: true", and accepted the credential, then no special code would be needed to have Security Rule controlled access to Storage items. The *developer* could decide which items to make permanently public via .getDownloadURL()``` and which to keep authenticated.

Originally posted by @LeadDreamer in #5342 (comment)

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.