I’m trying to understand how to use CORS and am confused about what the Access-Control-Allow-Credentials header does.
The documentation says
Indicates whether or not the response to the request can be exposed
when the credentials flag is true.
But I don’t understand what the response being “exposed” means.
Can anyone explain what this header being set to true (in conjunction with the credentials flag being set to true) actually does?