mention Access-Control-Expose-Headers: * in example

Author: annevk

Overview.html

@@ -2033,6 +2033,12 @@ <h4 id="cors-protocol-examples"><span class="secno">4.2.6 </span>Examples</h4>
  because <code>bar.invalid</code> needs to explicitly share each header by listing their names in
  the `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` response
  header.
+
+ <p>Alternatively, if <code>bar.invalid</code> wanted to share all its response headers, for
+ requests that do not include <a href="#credentials">credentials</a>, it could use `<code>*</code>` as value for
+ the `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` response
+ header. If the request would have included <a href="#credentials">credentials</a>, the response header names
+ would have to be listed explicitly and `<code>*</code>` could not be used.
 </div>
 
 <div class="example">

Overview.src.html

@@ -1961,6 +1961,12 @@ <h4 id=cors-protocol-examples>Examples</h4>
  because <code>bar.invalid</code> needs to explicitly share each header by listing their names in
  the `<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` response
  header.
+
+ <p>Alternatively, if <code>bar.invalid</code> wanted to share all its response headers, for
+ requests that do not include <span>credentials</span>, it could use `<code>*</code>` as value for
+ the `<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` response
+ header. If the request would have included <span>credentials</span>, the response header names
+ would have to be listed explicitly and `<code>*</code>` could not be used.
 </div>
 
 <div class="example">