How do I fix a cross-origin request error indicating that Access-Control-Allow-Origin cannot be an asterisk (*)?

Updated at: 2023-12-25 02:10

Problem description

Access-Control-Allow-Origin is set to an asterisk (*) in a cross-origin resource sharing (CORS) rule for an Object Storage Service (OSS) bucket and Access-Control-Allow-Credentials is set to true in front-end code. The following error is returned for a cross-origin request for an object in the bucket:

Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

Causes

If your browser security policy requires Access-Control-Allow-Credentials to be set to true, Access-Control-Allow-Origin cannot be set to an asterisk (*). This prevents access to a domain from all other domains and leaks of credentials such as cookies, Authorization header information, and other sensitive information.

Solutions

  • If you want cross-origin requests to include credentials, change the Access-Control-Allow-Origin settings from * to specific origin URLs, such as https://example.com. For more information, see CORS.

  • If you do not want cross-origin requests to include credentials, set Access-Control-Allow-Credentials to false in your code. Sample code:

    xhr.withCredentials = false
  • On this page (1, T)
  • Problem description
  • Causes
  • Solutions
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare