According to MDN,
when responding to a credentialed request, server must specify a domain, and cannot use wild carding.
So I cannot simply use Access-Control-Allow-Origin: *
. However, I'm wondering if there is a reason not to simply use: Access-Control-Allow-Origin: ${request.headers["Origin"]}
, i.e., always set Access-Control-Allow-Origin
to whatever Origin
was set to in the request.