3

I'm running an ionic application using ionic serve on port 8080. I do understand the preflight process and I believe I'm getting the right response:

The request

Still, I'm getting this error:

Failed to load https://bla.bla: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:8080' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Then, the real request (GET) is not being sent. What is even weirder is that just before this one request, I'm able to send a POST to the same server. The response headers are the same. The only difference in the request is that the Access-Control-Request-Headers is content-type instead of authentication

Any ideas?

isherwood
  • 58,414
  • 16
  • 114
  • 157
GBarroso
  • 467
  • 1
  • 8
  • 19
  • 1
    Possible duplicate of [Deadly CORS when http://localhost is the origin](https://stackoverflow.com/questions/10883211/deadly-cors-when-http-localhost-is-the-origin) – Andreas Feb 27 '18 at 17:12
  • @Andreas doesn't look like it is. I definitively can send a POST request from localhost:8080 to my server, the preflight doesn't block it. But the GET above is being denied – GBarroso Feb 27 '18 at 17:35
  • Exactly what browser are you actually testing in? The value of User-Agent request header in screenshot looks like the one sent by the iPhone browser engine, not Chrome/Blink. But your title and tags say Chrome. – sideshowbarker Feb 27 '18 at 18:15
  • Have you tested the request in other browsers (Firefox?) and do you get the same error? – sideshowbarker Feb 27 '18 at 18:16
  • @sideshowbarker I'm using chrome, this might be because I had the device toggle activated – GBarroso Feb 27 '18 at 18:46
  • @sideshowbarker just tested on firefox and it works fine. – GBarroso Feb 27 '18 at 18:55

1 Answers1

1

Finally found the answer and it was my fault, not a chrome bug.

Thing is, some time ago I tried using this extension: https://chrome.google.com/webstore/detail/cors-toggle/jioikioepegflmdnbocfhgmpmopmjkim?hl=en

And it didn't work for my needs, but I forgot to uinstall it. Turns out it was having some kind of conflict, since it seems to add an "Access-Control-Allow-Origin: *" header for every response. Thus it would conflict in a request with credentials (I'm guessing the Authentication header does that, not sure why tbh).

Anyway, after I uninstalled it, it's now working fine.

GBarroso
  • 467
  • 1
  • 8
  • 19