スペックの部分はこういうことになってる。
7.2 Resource Sharing Check
- If the response includes zero or more than one Access-Control-Allow-Origin header values, return fail and terminate this algorithm.
- If the Access-Control-Allow-Origin header value is the "*" character and the omit credentials flag is set, return pass and terminate this algorithm.
- If the value of Access-Control-Allow-Origin is not a case-sensitive match for the value of the Origin header as defined by its specification, return fail and terminate this algorithm.
- If the omit credentials flag is unset and the response includes zero or more than one Access-Control-Allow-Credentials header values, return fail and terminate this algorithm.
- If the omit credentials flag is unset and the Access-Control-Allow-Credentials header value is not a case-sensitive match for "true", return fail and terminate this algorithm.
- Return pass.
ということでAccess-Control-Allow-Credentials: trueにしないとfailするってことらしい。ちなみにこれをレスポンスヘッダへ複数設定した場合もfailするとのこと