Default cors configuration not working, had to manually add more headers

I have a simple lambda function that returns a 200 response code with an empty body. I have enabled cors in my serverless.yaml file by setting cors: true on the http event. However, when making a request to the endpoint, I get the error message:

access-control-allow-origin is not allowed by Access-Control-Allow-Headers in preflight response

I then changed my cors definition in my serverless.yml file from cors:true to explicitly list out what the default cors configuration is, and then added 2 new headers:

  origin: '*'
    - Content-Type
    - X-Amz-Date
    - Authorization
    - X-Api-Key
    - X-Amz-Security-Token
    - X-Amz-User-Agent
    - Access-Control-Allow-Origin // I added this one
    - Access-Control-Allow-Credentials // I added this one as well

This worked, and my requests are now successful.

My question is, this seems like I’m misunderstanding something or doing something wrong. As far as I know, those 2 headers are always included in CORS requests. If they are not included in the allowed-headers list by default, then in what scenarios does specifying the cors: true shorthand work?