Access-Control-Allow-Origin is * when using custom headers

Question

When I use:

async function APIsignUp(name, pass) {
  let response = await fetch(domain + `signup`, {
    method: "GET",
    credentials: "include",
  });
  return await response.json();
}

It works well but after adding some custom headers:

async function APIsignUp(name, pass) {
  let response = await fetch(domain + `signup`, {
    method: "GET",
    credentials: "include",
    headers: {
      "X-Username": name,
      "X-Password": pass,
    },
  });
  return await response.json();
}

It will throw error:

The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

But I already added Access-Control-Allow-Origin, Access-Control-Allow-Credentials and Access-Control-Allow-Headers header at server-side (I use sqark java)

At my server-side:

    res.header("Access-Control-Allow-Origin", domain);
    res.header("Access-Control-Allow-Credentials", "true");
    res.header("Access-Control-Allow-Headers", "X-Username, X-Password");

Does this help you? https://stackoverflow.com/questions/19743396/cors-cannot-use-wildcard-in-access-control-allow-origin-when-credentials-flag-i The problem is that you cannot include credentials with a wildcard origin, you must include domain and port, but that's still a backend problem, not really a frontend-related one (imho). — briosheje, Aug 31 '21 at 07:58
This question has nothing to do with javascript or fetch. It is 100% a Java question — slebetman, Aug 31 '21 at 08:00
You're true, I fixed it by adding those code https://gist.github.com/saeidzebardast/e375b7d17be3e0f4dddf — SonMooSans, Aug 31 '21 at 08:15
@SonMooSans perfect. I suggest you to either self-answer the question or delete it, the proper way would probably be to self-answer and explain that it was not a client related question (in case someone encounters the same issue), then add `java` to the tags above. — briosheje, Aug 31 '21 at 08:21

score -2 · Answer 1 · answered Aug 31 '21 at 07:54

-2

you can use cors package it will remove the pain or manually you can add the origin in your code

answered Aug 31 '21 at 07:54

Adarsh

29
2

Please provide additional details in your answer. As it's currently written, it's hard to understand your solution. – Community Aug 31 '21 at 08:16

Access-Control-Allow-Origin is * when using custom headers

1 Answers1