ring 2020-04-21 | Slack Archive

I have yet another cors issue:

Access to XMLHttpRequest at '' from origin '' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

So it's a cors error, and I follow the instruction and set the credentials to false:

{"Content-Type" "application/edn"
             "Access-Control-Allow-Headers" "Content-Type"
             "Access-Control-Allow-Origin" "*"
             "Access-Control-Request-Method" "GET, OPTIONS"
             "Access-Control-Allow-Credentials" false}

But still getting the same error. Fixes?

seancorfield22:04:28

@pshar10 It wants you to fix the request not the response.

seancorfield22:04:22

Ah, further reading suggests that you can't provide "Access-Control-Allow-Credentials" false -- you must omit the header completely. Only a true value is permitted if the header is present.

seancorfield22:04:08

(I was initially thinking you could change the request to opt out of credentials but reading more on that has just confused me 🙂 )

Spaceman22:04:14

That solved credentials. But what about the new error? Access to XMLHttpRequest at 'http://localhost:3000/fetch-categories' from origin 'http://localhost:3689' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

seancorfield23:04:52

That's the same error you posted above.

seancorfield23:04:02

That's what I was responding to. Either you need to change the request (so credentials mode is not 'include') or change the headers you send back (to omit the allow credentials one).

2020-04-21

Channels