Marco Faustinelli
Nov 5 · 1 min read

Great stuff. My compliments…
Now a question: I understand that when a request is “with credentials”, the browser refuses responses with ACAO=”*”. Does this imply that the ACAO in the response MUST be the domain from which we are sending the request, or are there corner cases where this rule is not entirely accurate?