Why '*' cannot be used in the header when the credentials flag is NOT true?

My CORS Request and Respond looks like this:

Request (A pre-flight request before POST)

OPTIONS /authenticate/facebook HTTP/1.1
Host: waycanon-test.herokuapp.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: http://127.0.0.1:8999
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Access-Control-Request-Headers: accept, x-auth-token, content-type
Accept: */*
Referer: http://ift.tt/1BFCyxK
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Response Headersview source

Respond

HTTP/1.1 204 No Content
Server: Cowboy
Date: Fri, 27 Feb 2015 09:34:30 GMT
Connection: keep-alive
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Referer, User-Agent, X-Auth-Token
Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1728000
Allow: *
Content-Length: 0
Via: 1.1 vegur

And I got the error information below in browser (Chrome/Safari)

XMLHttpRequest cannot load http://ift.tt/1Dy349G. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://127.0.0.1:8999' is therefore not allowed access.

I saw another post similar to my issue. But this still looks very confusing to me because I haven't used the Access-Control-Allow-Credentials flag in the Header? Does anyone have ideas about this?