Thanks Marco Faustinelli

There are two scenarios when browsers generally reject the response for “credentialed” ( withCredential =true ) request

1. If the response does not contain a Access-Control-Allow-Credential : true header, then browser will reject the response and it will not be available to the invoking request.
2. In a case when response does contain Access-Control-Allow-Credential : true header, browser will reject the response if Access-Control-Allow-Origin is set to wildcard “*”.

Response to a credentialed request would only be processed if response contains Access-Control-Allow-Origin value as the requesting origin along with the Access-Control-Allow-Credential : true.