Update Javadoc on CORS in spring-websocket

[kbuntrock]

According to the documentation, the iframe fallback is useful for transports with no native cross-domain communication.
See :

spring-framework/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java

Line 146 in 58e40d1

* Transports with no native cross-domain communication (e.g. "eventsource",

But when configuring my app for allowing a specific origin, and when my client request the Iframe, this bloc of code prevent me from getting it :

spring-framework/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java

Line 407 in 58e40d1

if (!getAllowedOrigins().isEmpty() && !getAllowedOrigins().contains("*") ||

This bloc of code seems to say I could bypass it by setting "*" in allowOrigins. But it then conflicts with the "Access-Control-Allow-Credentials" set to true, which is forbidden for the "*" regex.
https://docs.spring.io/spring-framework/docs/5.3.2/reference/html/web.html#websocket-fallback-sockjs-overview)

I have the feeling there is a contradiction here. For some transport, I need and iframe when I want to do cross-domain communication. But the very same process of providing an iframe is restricted if I want to access it cross-domain.

Is this code outdated and need an update? Or am I missing a point? If option one, I can work on the PR.

[rstoyanchev]

In 5.3 we no longer allow allowedOrigins to be "*" in combination with "Allow-Credentials". Instead you can use the allowedOriginPatterns property which also allows more flexible patterns.

I can see that the Javadoc for WebSocketHandlerRegistration#setAllowedOrigins doesn't explicitly mention this the way that CorsConfiguration#setAllowedOrigins does. I'll update that.