The response to a CORS request must include an
Access-Control-Allow-Origin header, which dictates what origins are allowed to use the CORS resource. This header can take one of three values:
*. This permits requests from any origin.
null. This permits no CORS requests.
For example, on reception of a CORS request from the origin
example.com is an authorized origin, the server would send back this response:
HTTP/1.1 200 OK Access-Control-Allow-Origin: example.com
An any-origin response would also permit this request, i.e.:
HTTP/1.1 200 OK Access-Control-Allow-Origin: *