Almost all web browsers reject the origin
"*". Therefore sending
"*" as the
Access-Control-Allow-Origin header results in a same-origin-policy violation.
Fortunately there is a work-around. If you look at the gin-cors code that handles this, what it does instead is to re-send the
"origin" header sent by the browser. So to make
* work, you'd have to do this: