2.1.1 [CORS] Section 5.2, Access-Control-Allow-Credentials Response Header
V0001:
The specification states:
-
-
The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. ABNF: -
Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"
-
IE10 Mode and IE11 Mode (all versions)
Origin lists are not supported. Instead, a single origin and the "null" string is supported.