Document use of CORS headers in SockJS Service

Issue: SPR-11437

src/asciidoc/index.adoc

@@ -37355,6 +37355,25 @@ be cached. For details on how to enable it see the
 https://github.com/sockjs/sockjs-client[SockJS client] page.
 ====
 
+[[websocket-fallback-cors]]
+==== SockJS and CORS
+
+The SockJS protocol uses CORS for cross-domain support in the XHR streaming and
+XHR polling transports. CORS headers are automatically added to SockJS requests
+for transports that require it as well as for the initial `"/info"` request.
+
+Spring's `SockJsServce` implementation checks for the presence of the CORS
+`"Access-Control-Allow-Origin"` header in the response. If present, no new CORS
+headers are added, essentially assuming that CORS support is configured
+centrally, e.g. through a Servlet Filter. Otherwise the following are added:
+
+* `"Access-Control-Allow-Origin"` - intitialized from the value of the "origin" request header or "*".
+* `"Access-Control-Allow-Credentials"` - always set to `true`.
+* `"Access-Control-Request-Headers"` - initialized from values from the equivalent request header.
+* `"Access-Control-Allow-Methods"` - the HTTP methods a transport supports (see `TransportType` enum).
+* `"Access-Control-Max-Age"` - set to 31536000 (1 year).
+
+For the exact implementation, see `addCorsHeaders` in `AbstractSockJsService`.
 
 [[websocket-fallback-sockjs-servlet3-async]]
 ==== SockJS and Servlet 3 Async Support