Skip to content

Header in the response must not be the wildcard '*' when the request's credentials mode is 'include' #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ghost opened this issue Apr 6, 2017 · 8 comments
Closed

Header in the response must not be the wildcard '*' when the request's credentials mode is 'include' #227

ghost opened this issue Apr 6, 2017 · 8 comments

Comments

@ghost
Copy link

ghost commented Apr 6, 2017

When using SockJS and trying to connect to a secured (Auth0) Spring Boot REST controller (localhost:8081) from an Angular 2 client (localhost:4200) I recieve the following error message:

The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:4200' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

This issue seems related to issue 177 but the error I recieve informs me that the credentials mode is set to 'include' and not about the credentials flag being true. I'm using the latest SockJS where the issue 177 should be resolved when looking at the node_modules\sockjs\Changelog.

Code and more explanation can be found on stackoverflow.

What could be causing this problem?
@mswaidan
Copy link

Am encountering the same problem. Did you ever find a solution @Samvherck ?

@ghost
Copy link
Author

ghost commented Jun 27, 2017
edited by ghost
Loading

Seems like a SockJS bug so I went for a StompJS only solution (which seems almost to be identical).

import 'stompjs';
declare let Stomp:any;

@Injectable()
export class StompService { 

    url = 'http://localhost:8081/message/';
    stompUrl = 'ws://localhost:8081/message';
    stompClient;

    constructor() {}

    connectStomp(callback: (response) => void) {
	let self = this;
		
	let webSocket = new WebSocket(this.stompUrl);
	this.stompClient = Stomp.over(webSocket);
		
	this.stompClient.connect({}, function (frame) {
            self.stompClient.subscribe('/topic/messages', function (response) {
                callback(response);
            });
        });
    }

    sendStompMessage(content: string) {
        this.stompClient.send("/app/message", {}, "message");
    }
}

@CaseyLeask
Copy link

Here's a link to the MDN explanation of what's happening https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials, which covers both the XHR and 'Request' APIs.

The secured (Auth0) Spring Boot REST controller is not sending back a valid 'Access-Control-Allow-Origin' header for a request with credentials. These requests send cookies, and that's largely why * is not a valid value.

This doesn't look to be a XHR Request with credentials https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials, but instead it seems to be part of the 'Request' API https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials, based on the request's credentials mode is 'include'.

This means it could be a fetch call with credentials included https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#Sending_a_request_with_credentials_included

@fengyueran
Copy link

Am encountering the same problem. Did you ever find a solution @Samvherck ?

@Manubi
Copy link

Manubi commented Jul 31, 2018

Hi,
was anyone of you successful? :) @fengyueran

@brycekahle
Copy link
Contributor

If the Origin request header is non-null, then SockJS will not respond with *. Can you capture a request/response? It is likely something else is responding that is not SockJS.

@brycekahle
Copy link
Contributor

Closing due to inactivity.

@yanganok
Copy link

yanganok commented Apr 9, 2019

how to do in asp.net core

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@CaseyLeask @brycekahle @mswaidan @fengyueran @Manubi @yanganok