CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true

by

This is a part of security, you cannot do that. If you want to allow credentials then your Access-Control-Allow-Origin must not use *. You will have to specify the exact protocol + domain + port. For reference see these questions :

  1. Access-Control-Allow-Origin wildcard subdomains, ports and protocols
  2. Cross Origin Resource Sharing with Credentials

Besides * is too permissive and would defeat use of credentials. So set http://localhost:3000 or http://localhost:8000 as the allow origin header.

More Related Contents:

  1. What is the motivation behind the introduction of preflight CORS requests?
  2. Same origin Policy and CORS (Cross-origin resource sharing)
  3. What security risks exist when setting Access-Control-Allow-Origin to accept all domains?
  4. Origin is not allowed by Access-Control-Allow-Origin
  5. CORS issue while making an Ajax request for oauth2 access token
  6. Ajax vs Socket.io
  7. API Gateway CORS: no ‘Access-Control-Allow-Origin’ header
  8. How to properly redirect in NodeJS/ExpressJS?
  9. Why use AJAX when WebSockets is available?
  10. Cross-Domain AJAX doesn’t send X-Requested-With header
  11. Access denied in IE 10 and 11 when ajax target is localhost
  12. $http.get is not allowed by Access-Control-Allow-Origin but $.ajax is
  13. Set-Cookie on Browser with Ajax Request via CORS
  14. Detecting AJAX requests on NodeJS with Express
  15. Ajax call bug with Chrome new version 73.0.3683.75?
  16. AngularJS + Django Rest Framework + CORS ( CSRF Cookie not showing up in client )
  17. Enable CORS in Golang
  18. Web sockets make ajax/CORS obsolete?
  19. Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at
  20. Cross-Origin Request Blocked
  21. Who can explain this ajax code for me [closed]
  22. How do I integrate Ajax with Django applications?
  23. jQuery.ajax handling continue responses: “success:” vs “.done”?
  24. How to get response status code from jQuery.ajax?
  25. Google Maps API throws “Uncaught ReferenceError: google is not defined” only when using AJAX
  26. How to enable cross-domain request on the server?
  27. Cross Domain Resource Sharing GET: ‘refused to get unsafe header “etag”‘ from Response
  28. Stop the browser “throbber of doom” while loading comet/server push iframe
  29. ICEfaces libary in classpath prevents Save As dialog from popping up on file download
  30. Render multiple components with f:ajax

Leave a Comment