I suppose that I'm reading it wrong, but... in http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#make-a-request-steps
7.2.2 says that if the response is "*" and credentials are off, we fail. So, first question, is it really the intent to say that a service can't just return * to permit any old origin? This also seems to contradict 6.1.3, which says that * is only valid for non-credential resources. 7.2.3 makes no allowance for *. It just says case-sensitive match for the origin. The net result is that the resource check fails for all cases when the allow value is "*".
