Hi,
Before I get directed to use the search feature:
- I searched and looked through probably all topics related to CORS at this point.
- I do understand how CORS works and what it’s supposed to guard against.
- My issue is different from the topics found using search, the header is present, but has an invalid value.
I’m trying to use the basic REST API from a JavaScript application. I need to set withCredentials
to true
so that the Authorization
header is sent across different origins. However, Chrome (v. 91), then hides the response from me due to CORS policy, with the following error:
Access to XMLHttpRequest at 'https://api.company-information.service.gov.uk/company/11322864' from origin 'https://<origin>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
As you can see from the error and as I can see from the F12 Network tab, the ‘Access-Control-Allow-Origin’ in the preflight OPTIONS request is a wildcard ‘*’. This makes this issue different from the topics I could find, where that header was missing. My API key has a JavaScript domain
value provided that exactly matches the one I’m trying to get the response from and still, the header is a wildcard. For Chrome to allow the application to read the response from the GET request, the OPTIONS request has to specify my origin in the ‘Access-Control-Allow-Origin’ header, not just the wildcard.
Does setting JavaScript domains for a key takes a long time (more than several hours) to start working? Do I need to do anything else to change the wildcard '*'
‘Access-Control-Allow-Origin’ header on OPTIONS request except setting the JavaScript domains
entries for my REST API key?
Just for clarity, the authentication I’m using works, I am able to get the requested resource using curl
.
Thank you for your time