I am using IBM HTTP Server 9.0.0.7. There is a planned integration in which the user is setting request via chrome. httpd.conf contains the following
<VirtualHost *:443>
SSLEnable
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE,PATCH,OPTIONS"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization,
Access-Control-Request-Method, Access-Control-Request-Headers, Credentials"
Header set Access-Control-Allow-Credentials "true"
</VirtualHost>
The browser allows the initial login request but on subsequent ajax requests are blocked by CORS The error thrown is
Access to XMLHttpRequest at 'https://someip/api?select=category,description' from origin 'http://localhost:38359' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
Since the integration is browser based. i.e the user will be accessing the API via browser. I think the solution is to set Header set Access-Control-Allow-Origin to the incoming request IP.
Any idea how this can be done. btw I have no control over this integration other than I can change the HTTP server settings.
It wants the origin initiating the XHR request, which is in the error message: http://localhost:38359
If you need to support multiple origins without * (due to the use of credentials) you will need to make it conditional on the Origin: header coming in as input.
For example: