Clarify that wildcard and credentials are mutually exclusive (#2210)

Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>

diff --git a/docs/middleware.md b/docs/middleware.md
index 4ec25c3f4ffc61e2c097330a0bf326c6a9e8bbbd..759c86d70e27c45a6ccbcca8771fd524a676291a 100644 (file)
--- a/docs/middleware.md
+++ b/docs/middleware.md
@@ -75,7 +75,7 @@ The following arguments are supported:
 * `allow_origin_regex` - A regex string to match against origins that should be permitted to make cross-origin requests. eg. `'https://.*\.example\.org'`.
 * `allow_methods` - A list of HTTP methods that should be allowed for cross-origin requests. Defaults to `['GET']`. You can use `['*']` to allow all standard methods.
 * `allow_headers` - A list of HTTP request headers that should be supported for cross-origin requests. Defaults to `[]`. You can use `['*']` to allow all headers. The `Accept`, `Accept-Language`, `Content-Language` and `Content-Type` headers are always allowed for CORS requests.
-* `allow_credentials` - Indicate that cookies should be supported for cross-origin requests. Defaults to `False`.
+* `allow_credentials` - Indicate that cookies should be supported for cross-origin requests. Defaults to `False`. Also, `allow_origins`, `allow_methods` and `allow_headers` cannot be set to `['*']` for credentials to be allowed, all of them must be explicitly specified.
 * `expose_headers` - Indicate any response headers that should be made accessible to the browser. Defaults to `[]`.
 * `max_age` - Sets a maximum time in seconds for browsers to cache CORS responses. Defaults to `600`.