Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers. (CORS )

Question

I have a main domain and a subdomain (Mautic Is Installed), unfortunately, I have a cross-origin HTTP request problem if mautic is setup within a subdomain. When I load the example.com I get the following errors in Safari Console:

Failed to load resource: Origin https://example.com is not allowed by Access-Control-Allow-Origin. XMLHttpRequest cannot load https://subdomain.example.com/mtc.
Origin https://example.com is not allowed by Access-Control-Allow-Origin.

Which make sense for security reason.

So, I add header set Access-Control-Allow-Origin: https://example.com to https://subdomain.example.com /etc/httpd/conf/httpd.conf file. Thanks to this article about CORS on MDN. But, now I get the following error:

Failed to load resource: Credentials flag is true, but Access-Control-Allow-Credentials is not "true".
MLHttpRequest cannot load https://subdomain.example.com/mtc. Credentials flag is true, but Access-Control-Allow-Credentials is not "true".

Then, I add header set Access-Control-Allow-Credentials: true to /etc/httpd/conf/httpd.conf file. But I still get an error:

Failed to load resource: Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers.
XMLHttpRequest cannot load https://subdomain.example.com/mtc. Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers

And, this is where I'm stuck, Can someone help me? Thanks in advance.

Answer 1

I find the solution to this issue. What you need to do is set the Origin, Headers, and Credentials. I miss the "headers" section which I didn't specify in my httpd.conf. Here is the complete configuration:

Header set Access-Control-Allow-Origin: https://example.com
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"
Header set Access-Control-Allow-Credentials true