Tests verifying the soundness of the Access-Control-Allow-Origin header
*) to allow multiple origins while at the same time allowing authenticated requests. This is why many implementations create dynamic responses based on the
Originheader. If an endpoint blindly allows all origins while at the same time allowing authenticated requests, either the resource should not require authentication or it is too sensible to be shared across origin boundaries. This test case blindly replays the
Originheader in the
nullorigin in an
Access-Control-Allow-Originheader is equivalent to allowing every origin. Combined with allowing authenticated requests, the same concerns as with insecure dynamic header generation apply.