This is a part of security, you cannot do that. If you want to allow credentials then your Access-Control-Allow-Origin
must not use *
. You will have to specify the exact protocol + domain + port. For reference see these questions :
- Access-Control-Allow-Origin wildcard subdomains, ports and protocols
- Cross Origin Resource Sharing with Credentials
Besides *
is too permissive and would defeat use of credentials. So set http://localhost:3000
or http://localhost:8000
as the allow origin header.