HTTP 200 OK Content-Access-Control: allow exclude , deny <*> exclude