Spring Framework 5.0.2 changes the default for the Allow-Credentials header to false. We now adapted our test case to that and also drop the expectation to see the request URL in the Allow-Origin header as that is only returned if Allow-Credentials is true, which it now isn't by default.