XHR Failed Loading Post because of withCredentials

1
votes

I have a problem with my script where I got an error message such as this

XMLHttpRequest cannot load https://igoblogging.com/likebutton/. The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://nielinfo.com' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

I tried to load a cookie from cross domain. Here is my javascript code

var xhr = new XMLHttpRequest();
xhr.open('POST', linkbased+'/likebutton/',true);
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.withCredentials = true;
xhr.onreadystatechange = function () {
    if(this.readyState == 4 && this.status == 200) {
        if(document.getElementById("igblikebutton")){
            document.getElementById("igblikebutton").innerHTML = this.responseText;
        }
    }
}
xhr.send(data);

And here is my php script

header('Access-Control-Allow-Origin: http://nielinfo.com');
header('Access-Control-Allow-Methods: POST');
header('Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept');
header('Access-Control-Allow-Credentials: true');
echo $_COOKIE['username'];

Here is the response headers

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Methods:POST
Access-Control-Allow-Origin:*
Cache-Control:max-age=604800
Content-Type:text/html; charset=utf-8
Date:Wed, 05 Jul 2017 07:09:04 GMT
Expires:Wed, 12 Jul 2017 07:09:04 GMT
Server:Apache/2.4.25 (CentOS)
Strict-Transport-Security:max-age=2592000; preload
Transfer-Encoding:chunked
Upgrade:h2
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Powered-By:PHP/5.4.45
X-Supported-By:Kloxo-MR 7.0
X-XSS-Protection:1;mode=block

And here is the request headers

Accept:*/*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:82
Content-type:application/x-www-form-urlencoded
Cookie:__cfduid=d239fe9b5de5b706676a60c112ccbd5d01497599052; _ga=GA1.2.91093954.1497599466; kloxo-clientname=admin; kloxo-classname=client; kloxo-session-id=L5b4xFTJphHH9kQN1AidVz6jpQw2QuazpkJd4TmW4E71fXMOPb; __atuvc=1%7C25; HstCfa3839354=1498146551883; HstCla3839354=1498146551883; HstCmu3839354=1498146551883; HstPn3839354=1; HstPt3839354=1; HstCnv3839354=1; HstCns3839354=1; username=flameblue59; ip=118.136.215.7; PHPSESSID=9614c4fcf759c74577837fdd5dad1c3f
Host:igoblogging.com
Origin:http://nielinfo.com
Referer:http://nielinfo.com/who-is-dullahan-the-headless-rider-who-will-terrified-you/
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

The weird thing, when I remove xhr.withCredentials. Its working fine but the cookie won't load. I think the problem because of withCredentials usage. I really appreciate any solution here. Thank you so much.

javascriptphpxmlhttprequest
isn't it weird that when you set allow-Origin to http://nielinfo.com your response produce a diffrent response *?Endless
sure, that's why I could not understand it. This is really weird, because the http header is different as my php file.Bobby
anyone can help me please?Bobby
Thought maybe you figured it out. Perhaps you override it somewhere? like .htaccess, php init, appache, or some other php script. could also be a proxyEndless