1
votes

Although the OPTIONS returns * for Allow-Headers I'm getting the following CORS response.

Access to XMLHttpRequest at 'https://example1.com' from origin 'https://example2.net' has been blocked by CORS policy: Request header field x-requested-with is not allowed by Access-Control-Allow-Headers in preflight response.

While the OPTION request looks like this:

Request Method: OPTIONS
Status Code: 204 

Request headers:

Access-Control-Request-Headers: x-requested-with
Access-Control-Request-Method: POST
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36

Response headers:

access-control-allow-credentials: true
access-control-allow-headers: *
access-control-allow-methods: GET,POST
access-control-max-age: 86400
content-length: 0
content-type: text/plain charset=UTF-8
date: Wed, 12 Jun 2019 05:03:06 GMT
status: 204
1
@sideshowbarker - This answer is from 2013, the current browser should support the wild card already.Roee Gavirel

1 Answers

1
votes

I was facing the same issue with Firefox and IE but not in chrome. Instead of setting the access-control-allow-headers: * add a comma separated list of the headers allowed like this Authorization,Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers it worked for me through a filter