Header in the response must not be the wildcard '*' when the request's credentials mode is 'include'

Question

Header in the response must not be the wildcard '*' when the request's credentials mode is 'include'

Opened this issue 8 years ago · 8 comments

When using SockJS and trying to connect to a secured (Auth0) Spring Boot REST controller (localhost:8081) from an Angular 2 client (localhost:4200) I recieve the following error message:

The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:4200' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

This issue seems related to issue 177 but the error I recieve informs me that the credentials mode is set to 'include' and not about the credentials flag being true. I'm using the latest SockJS where the issue 177 should be resolved when looking at the node_modules\sockjs\Changelog.

Code and more explanation can be found on stackoverflow.

What could be causing this problem?

Answer 1 · 2017-06-27T05:08:24.000Z

Am encountering the same problem. Did you ever find a solution @Samvherck ?

Answer 2 · 2017-06-27T08:13:09.000Z

Seems like a SockJS bug so I went for a StompJS only solution (which seems almost to be identical).

import 'stompjs';
declare let Stomp:any;

@Injectable()
export class StompService { 

    url = 'http://localhost:8081/message/';
    stompUrl = 'ws://localhost:8081/message';
    stompClient;

    constructor() {}

    connectStomp(callback: (response) => void) {
	let self = this;
		
	let webSocket = new WebSocket(this.stompUrl);
	this.stompClient = Stomp.over(webSocket);
		
	this.stompClient.connect({}, function (frame) {
            self.stompClient.subscribe('/topic/messages', function (response) {
                callback(response);
            });
        });
    }

    sendStompMessage(content: string) {
        this.stompClient.send("/app/message", {}, "message");
    }
}

Answer 3 · 2017-07-06T06:33:37.000Z

Here's a link to the MDN explanation of what's happening https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials, which covers both the XHR and 'Request' APIs.

The secured (Auth0) Spring Boot REST controller is not sending back a valid 'Access-Control-Allow-Origin' header for a request with credentials. These requests send cookies, and that's largely why * is not a valid value.

This doesn't look to be a XHR Request with credentials https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials, but instead it seems to be part of the 'Request' API https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials, based on the request's credentials mode is 'include'.

This means it could be a fetch call with credentials included https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#Sending_a_request_with_credentials_included

Answer 4 · 2018-01-31T10:17:23.000Z

Am encountering the same problem. Did you ever find a solution @Samvherck ?

Answer 5 · 2018-07-31T13:44:34.000Z

Hi,
was anyone of you successful? :) @fengyueran

Answer 6 · 2018-08-08T22:58:50.000Z

If the Origin request header is non-null, then SockJS will not respond with *. Can you capture a request/response? It is likely something else is responding that is not SockJS.

Answer 7 · 2018-09-24T17:30:32.000Z

Closing due to inactivity.

Answer 8 · 2019-04-09T09:57:49.000Z

how to do in asp.net core