docs: update wildcard usage on cors (#9845)

**Description:** Improved CORS docs. **Link to tracking Issue:** #9844
open-telemetry · Sep 19, 2024 · 134c956 · 134c956
1 parent 1edd311
commit 134c956
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/config/confighttp/README.md b/config/confighttp/README.md
@@ -68,8 +68,8 @@ is hosted at a different [origin][origin]. If left blank or set to `null`, CORS
 will not be enabled.
   - `allowed_origins`: A list of [origins][origin] allowed to send requests to
   the receiver. An origin may contain a wildcard (`*`) to replace 0 or more
-  characters (e.g., `https://*.example.com`). To allow any origin, set to
-  `["*"]`. If no origins are listed, CORS will not be enabled.
+  characters (e.g., `https://*.example.com`). **Do not use** a plain wildcard
+  `["*"]`, as our CORS response includes `Access-Control-Allow-Credentials: true`, which makes browsers to **disallow a plain wildcard** (this is a security standard). To allow any origin, you can specify at least the protocol, for example `["https://*", "http://*"]`. If no origins are listed, CORS will not be enabled.
   - `allowed_headers`: Allow CORS requests to include headers outside the
   [default safelist][cors-headers]. By default, safelist headers and
   `X-Requested-With` will be allowed. To allow any request header, set to