Google Chrome: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true

Question

I know this is something usual, With the earlier versions of chrome I used to set "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --args --disable-web-security --user-data-dir in chrome shortcut tab to avoid 'Access-Control-Allow-Origin' errors. With the latest version, it seems like this fix is not working anymore. After installing the latest version 53.0.2785.89 m this is the error in console

XMLHttpRequest cannot load https://example.org:15003/apps/services/preview/rr/common/1.0/default/index.html. Response to preflight request doesn't pass access control check: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://ibm-pb7en65:10080' is therefore not allowed access. The credentials mode of an XMLHttpRequest is controlled by the withCredentials attribute.

I am not sure which additional attributes are to be added to avoid 'Access-Control-Allow-Origin' error.Is there any way this can be achieved?

Answer 1

The error is telling you that the server sent back this response header:

Access-Control-Allow-Origin: *

...on a credentialed request. That doesn't work. On a request with credentials, the server must return a specific Access-Control-Allow-Origin header.

Since you're making the request from http://ibm-pb7en65:10080/, your server must send back this header:

Access-Control-Allow-Origin: http://ibm-pb7en65:10080

It cannot use the wildcard * instead.

The solution is either:

• Update the server to do that, or
• Remove credentials from the request

Details, as always, in the specification.