1π
β
- See my response to your 3rd point.
- Yes. Your server, your rules.
- Setting both
Access-Control-Allow-Credentials: trueandAccess-Control-Allow-Headers: *is never useful:
- For security reasons, browsers that support the wildcard in
Access-Control-Allow-Headerstreat the*value literally in the case of credentialed requests. - Browsers that donβt support the wildcard in
Access-Control-Allow-Headersalways treat the*value literally.
π€jub0bs
Source:stackexchange.com