The list of allowed origins that be specific origins, e.g.
"http://domain1.com", or "*" for all origins.
A matched origin is listed in the Access-Control-Allow-Origin
response header of preflight actual CORS requests.
By default, all origins are allowed.
Note: CORS checks use values from "Forwarded"
"X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
if present, in order to reflect the client-originated address.
Consider using the ForwardedHeaderFilter in order to choose from a
central place whether to extract and use, or to discard such headers.
See the Spring Framework reference for more on this filter.
Set the list of response headers other than "simple" headers, i.e.
Cache-Control, Content-Language, Content-Type,
Expires, Last-Modified, or Pragma, that an
actual response might have and can be exposed.
Whether the browser should send credentials, such as cookies along with
cross domain requests, to the annotated endpoint. The configured value is
set on the Access-Control-Allow-Credentials response header of
NOTE: Be aware that this option establishes a high
level of trust with the configured domains and also increases the surface
attack of the web application by exposing sensitive user-specific
information such as cookies and CSRF tokens.
By default this is not set in which case the
Access-Control-Allow-Credentials header is also not set and
credentials are therefore not allowed.