2.1.1 [CORS] Section 5.2, Access-Control-Allow-Credentials Response Header


The specification states:

The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. ABNF:

Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"

IE10 Mode and IE11 Mode (all versions)

Origin lists are not supported. Instead, a single origin and the "null" string is supported.