3.2.4. HTTP new-header syntax has a note in the end that says this:

For Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers response headers, the value * counts as a wildcard for requests without credentials. For such requests there is no way to solely match a header name or method that is *.

That makes sense for the other two headers, but maybe not for Access-Control-Expose-Headers. Specifically, that method tells a client what response headers it can expose to clients. The Authorization header would never appear in a response so is irrelevant here. How would cookies or other credential information be relevant in this context?

I think that means that * should allow sharing of all response headers. Right?

This fell out of a Mozilla bugzilla discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=1687364#c5

We only allow wildcarding for non-credentialed requests. To prevent responses from accidentally sharing too much information. So the note is accurate. * is a wildcard, but only if the request is non-credentialed. And when it functions as a wildcard, you cannot match a header whose name is *.

Edit: having looked at the Mozilla bug, this note is unrelated to Authorization.