If this header is set
Access-Control-Allow-Origin: *
javascript can make a request to the domain and read the response if and only if no cookies are sent over, otherwise the javascript cannot read the response.
Generally speaking why is this header considered an insecure practice for a stateful web app that requires authentication?
An application should never revoke their rights over to the Same-Origin Policy, unless there is no other option. In order for personal information to be disclosed with CORS, an attacker must "ride" on an authenticated session, which would require a session cookie.
An Access-Control-Allow-Origin: * could be exploited by an attacker to view an application that is only accessible on a local network, or VPN. In a sense this insecure rule-set creates a tunnel to an affected application, where an attacker could access a sensitive HTTP server on a private network segment.
