- A client (web browser) is not allowed to read data sent in response to a GET request containing authentication credentials, if
Access-Control-Allow-Origin: *is present in the HTTP headers of the response†. - The only time data with an
Access-Control-Allow-Origin: *header is available to the client is when no authentication details (e.g. cookies) are sent. - When an
Access-Control-Allow-Origin: *header is set on the response, the data that can be read is guaranteed to be anonymous‡.
[†] This is a special case that only applies when * is set as the origin.
[‡] The only exception is when authentication is by IP address - in that case the Access-Control-Allow-Origin: * header should not be set.