Description
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Origin header indicates whether a resource can be shared based on the value of the Origin request header, "*", or "null" in the response.
If a website responds with Access-Control-Allow-Origin: * the requested resource allows sharing with every origin. Therefore, any website can make XHR (XMLHTTPRequest) requests to the site and access the responses.
Remediation
Check whether Access-Control-Allow-Origin: * is appropriate for the resource/response.
References
Test Cross Origin Resource Sharing (OTG-CLIENT-007)
Cross-Origin Resource Sharing (CORS) and the Access-Control-Allow-Origin Header