Reputation: 8007
Reason for 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' error
I have a server that exposes some resources, and sends back the following headers:
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
This is needed because the server contains static resources that are accessed by various webapps and dev environments throughout our intranet, which are all different origins.
This worked correctly until recently, but now it stopped. Now, if we try to access any of the resources from any origin, we receive the error:
Failed to load http://foo/bar/res: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://devenv06:4589' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute
So, I've tried adding my origins manually, like this:
Access-Control-Allow-Origin: http://devenv01,http://devenv02,http://prodserver
Access-Control-Allow-Credentials: true
but now I receive the error:
Failed to load http://foo/bar/res: The 'Access-Control-Allow-Origin' header contains multiple values, but only one is allowed
This basically makes the server unusable, since I need multiple origins.
So, what I want to know is:
- Is this something new that browsers introduced, or did something change on the server? Why did it work before with that configuration and now it doesn't? (client code didn't change...)
- Is there a general solution instead of having to manually set every possible origin?
Upvotes: 2
Views: 720
Answers (1)
Reputation: 944545
Is this something new that browsers introduced, or did something change on the server?
It is not a new requirement in the spec.
Is there a general solution instead of having to manually set every possible origin?
Write logic that reads the Origin request header, then uses that value to generate the Access-Control-Allow-Origin response header.
Usually you will want to pass it through a whitelist first, otherwise, you are giving permission to evil-hacker.example.com to make requests to your server from the browsers of people logged into your site, with all the credentials needed to prove they are who they say they are. That would probably be a massive security problem and render having credentials in the first place pointless.
Upvotes: 1
Related Questions
- No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
- CORS Error: "The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*'..."
- header('Access-Control-Allow-Origin: *'); Not allowing CORS request
- Issue in CORS in ASP .NET Core - The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*
- How to fix "The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed."?
- allow-control-allow-origin : * present in response, but it still shows error
- Origin is not allowed by Access-Control-Allow-Origin but wildcard is defined?
- server responds with 405 error even with 'Access-Control-Allow-Origin': '*'?
- Error with "Access-Control-Allow-Origin", when i have "Access-Control-Allow-Origin: *"
- 'Access-Control-Allow-Origin' header is present on the requested resource