Access-Control-Allow-Origin: *

  1. A client (web browser) is not allowed to read data sent in response to a GET request containing authentication credentials, if Access-Control-Allow-Origin: * is present in the HTTP headers of the response.
  2. The only time data with an Access-Control-Allow-Origin: * header is available to the client is when no authentication details (e.g. cookies) are sent.
  3. When an Access-Control-Allow-Origin: * header is set on the response, the data that can be read is guaranteed to be anonymous.

[†] This is a special case that only applies when * is set as the origin.

[‡] The only exception is when authentication is by IP address - in that case the Access-Control-Allow-Origin: * header should not be set.