CORS error : Header in the response must not be wildcard javascript

Question

I am a newbie to Javascript and web-development domain. I am trying to get some data from a REST API via GET call. However, I am getting a CORS error when I try to make this call. I tried to read up on Stackoverflow and couple of other websites on how to fix the error but I am a bit confused as well as technically weak.

Here is a snippet of my code:

var xhReq = new XMLHttpRequest();
xhReq.open("GET", api_url, true, user, pass);
xhReq.withCredentials = true;
xhReq.send(null);

Here is the error I receive: Access to XMLHttpRequest at 'htpp://the api url' from origin 'http://localhost' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

From what I understand, the issue is due to the response header having a '*' in the Access-Control-Allow-Origin field.

My question is ...What's the problem here ?

Should I ask the API developer guy to send a different value in the Access-Control-Allow-Origin field
Some examples on Internet suggests to set the withCredentials field to false. However, it leads to a different CORS error saying no header was found

Access to XMLHttpRequest at 'http://the api url' from origin 'http://localhost' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I am running it from localhost using WAMP server. Is it something that will work fine on the production server since both the API url and the server url have the same domain of my university.

Do let me know if you need any more information. I currently testing it from my local machine.

Edit: Added Request header screenshot

It is difficult to give an answer that helps without seeing the framework you're using. Are you doing vanilla JS? How does your request header look like and what does the api doc say about CORS requests? The two errors are kinda contradictory, so maybe also a server problem. Depending on the setup, the solution is going to be different, so if you could add more details, that will help. Also, it might help you to read up on this: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS — thomi, Apr 08 '21 at 19:19
3: maybe... if it also has the same port protocol and subdomain. Is this api meant to be called from a web browser? — Kevin B, Apr 08 '21 at 19:22

score -2 · Answer 1 · answered Apr 08 '21 at 18:46

if you wants to test it just from your localhost you can use extension like this https://chrome.google.com/webstore/detail/cors-unblock/lfhmikememgdcahcdlaciloancbhjino
and you can know more about cors from this link https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
you will find also some errors and how to fix it in mdn

CORS error : Header in the response must not be wildcard javascript

1 Answers1