Mysterious Drupal CORS errors? Here's a tiny fix you might be missing

Bug: Adding specific URls to services.yml files eg. allowedOrigins: ['http://localhost:3000']

returns the following error:

... has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present

However the error does not get displayed when you set to a wildcard allowedOrigins: [*]

Solution: Specify your allowed origins instead of using the wildcard: allowedOrigins: ['http://localhost:3000'] and change exposedHeaders: true to exposedHeaders: []