Here is a snippet of my code:
var xhReq = new XMLHttpRequest(); xhReq.open("GET", api_url, true, user, pass); xhReq.withCredentials = true; xhReq.send(null);
Here is the error I receive:
Access to XMLHttpRequest at ‘htpp://the api url’ from origin ‘http://localhost’ has been blocked by CORS policy: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
From what I understand, the issue is due to the response header having a ‘*’ in the Access-Control-Allow-Origin field.
My question is …What’s the problem here ?
Should I ask the API developer guy to send a different value in the Access-Control-Allow-Origin field
Some examples on Internet suggests to set the withCredentials field to false. However, it leads to a different CORS error saying no header was found
Access to XMLHttpRequest at 'http://the api url' from origin 'http://localhost' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I am running it from localhost using WAMP server. Is it something that will work fine on the production server since both the API url and the server url have the same domain of my university.
Do let me know if you need any more information. I currently testing it from my local machine.