2.1.8 Section 6.1, Simple Cross-Origin Request, Actual Request, and Redirects

V0008

The specification states:

Resources must use the following set of steps to determine which additional headers to use in the response:
 
1.  If the Origin header is not present terminate this set of steps. The request is outside the scope of this specification.
 
2.  If the value of the Origin header is not a case-sensitive match for any of the values in list of origins, do not set any additional headers and terminate this set of steps.
 
Note: Always matching is acceptable since the list of origins can be unbounded.
 
3.  If the resource supports credentials add a single Access-Control-Allow-Origin header, with the value of the Origin header as value, and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as value.
 
Otherwise, add a single Access-Control-Allow-Origin header, with either the value of the Origin header or the string "*" as value.
 
Note: The string "*" cannot be used for a resource that supports credentials.
 
4.  If the list of exposed headers is not empty add one or more Access-Control-Expose-Headers headers, with as values the header field names given in the list of exposed headers.
Note: By not adding the appropriate headers resource can also clear the preflight result cache of all entries where origin is a case-sensitive match for the value of the Origin header and url is a case-sensitive match for the URL of the resource.

IE8 Mode, IE9 Mode, and IE10 Mode (All Versions)

Credentials and exposed headers are not supported.

Show: