2.1.8 Section 6.1, Simple Cross-Origin Request, Actual Request, and Redirects
The specification states:
Resources must use the following set of steps to determine which additional headers to use in the response:
1. If the Origin header is not present terminate this set of steps. The request is outside the scope of this specification.
2. If the value of the Origin header is not a case-sensitive match for any of the values in list of origins, do not set any additional headers and terminate this set of steps.
Note: Always matching is acceptable since the list of origins can be unbounded.
3. If the resource supports credentials add a single Access-Control-Allow-Origin header, with the value of the Origin header as value, and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as value.
Otherwise, add a single Access-Control-Allow-Origin header, with either the value of the Origin header or the string "*" as value. Note: The string "*" cannot be used for a resource that supports credentials.
4. If the list of exposed headers is not empty add one or more Access-Control-Expose-Headers headers, with as values the header field names given in the list of exposed headers.
Note: By not adding the appropriate headers resource can also clear the preflight result cache of all entries where origin is a case-sensitive match for the value of the Origin header and url is a case-sensitive match for the URL of the resource.
IE8 Mode, IE9 Mode, and IE10 Mode (All Versions)
Credentials and exposed headers are not supported.