Security implications of adding all domains to CORS (Access-Control-Allow-Origin: *)

Question

It is said that instead of adding all domains to CORS, one should only add a set of domains. Yet it is sometimes not trivial to add a set of domains. E.g. if I want to publi

Answer 1

Except of csauve's one, none of the replies answer my original question.

To answer my question; It seems that as long as Access-Control-Allow-Credentials is not set then there is no security problem.

(Which makes me wonder why the spec requires preflight when Access-Control-Allow-Credentials is not set?)