Before I get directed to use the search feature:
- I searched and looked through probably all topics related to CORS at this point.
- I do understand how CORS works and what it’s supposed to guard against.
- My issue is different from the topics found using search, the header is present, but has an invalid value.
true so that the
Authorization header is sent across different origins. However, Chrome (v. 91), then hides the response from me due to CORS policy, with the following error:
Access to XMLHttpRequest at 'https://api.company-information.service.gov.uk/company/11322864' from origin 'https://<origin>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
As you can see from the error and as I can see from the F12 Network tab, the ‘Access-Control-Allow-Origin’ in the preflight OPTIONS request is a wildcard ‘*’. This makes this issue different from the topics I could find, where that header was missing. My API key has a
'*' ‘Access-Control-Allow-Origin’ header on OPTIONS request except setting the
Just for clarity, the authentication I’m using works, I am able to get the requested resource using
Thank you for your time