0

I have an app on Heroku at http://random-name.herokuapp.com that sends emails with Mandrill. However, regardless of whether I'm running the app locally at localhost:5000 or remotely on Heroku, I throw the following error when trying to send emails:

XMLHttpRequest cannot load https://mandrillapp.com/api/1.0/messages/send.json. Response to preflight request doesn't pass access control check: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://random-name.herokuapp.com' is therefore not allowed access.

There's a lot of documentation on Stack Overflow about this error (see CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true), and consequently, I set my express headers to the following:

app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "http://localhost:5000 http://random-name.herokuapp.com");
  res.header('Access-Control-Allow-Credentials', true);
  res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
  next();
});

However, this doesn't seem to solve the issue. I couldn't find anything useful in Mandrill's documentation either. I'm guessing I'm specifying the headers incorrectly, or perhaps they aren't even being used. Any ideas?

Community
  • 1
  • 1
sir_thursday
  • 5,270
  • 12
  • 64
  • 118

1 Answers1

0

Access-Control-Allow-Origin takes a single value, not a space separated list.

You need to return whatever the client sends in the Origin request header (test to make sure that is an acceptable origin to you first though!).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • So it looks like they response headers are a wildcard: `Access-Control-Allow-Origin:* Content-Encoding:gzip Content-Type:text/html; charset=utf-8` – sir_thursday Jan 24 '16 at 15:26
  • What do you mean by "return whatever the client sends"? – sir_thursday Jan 24 '16 at 15:27
  • @sir_thursday — You tried using a wildcard and the error message clearly told you that because you set `withCredentials` you aren't allowed to use a wildcard. – Quentin Jan 24 '16 at 15:28
  • @sir_thursday — The client says `Origin: http://example.com` then you must say `Access-Control-Allow-Origin: http://example.com`. – Quentin Jan 24 '16 at 15:28
  • Sorry, I'm confused. Are you saying to use a wildcard, because that's what the client is responding with? I've tried that as well, and it throws the same error. – sir_thursday Jan 24 '16 at 15:29
  • @sir_thursday — You must not use a wildcard. The client isn't responding with anything. The client makes requests. The server responds. Your original code was responding with a wildcard. That was wrong. That was why you got the first error message you quoted. – Quentin Jan 24 '16 at 15:30
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/101522/discussion-between-sir-thursday-and-quentin). – sir_thursday Jan 24 '16 at 15:50