Cross-Origin Request Headers(CORS) with PHP headers

I have a simple PHP script that I am attempting a cross-domain CORS request:

<?php
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Headers: *");
...

Yet I still get the error:

Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers

Anything I’m missing?

Answer

Access-Control-Allow-Headers does not allow * as accepted value, see the Mozilla Documentation here.

Instead of the asterisk, you should send the accepted headers (first X-Requested-With as the error says).

Update:

* is now accepted is Access-Control-Allow-Headers.

According to MDN Web Docs 2021:

The value * only counts as a special wildcard value for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal header name * without special semantics. Note that the Authorization header can’t be wildcarded and always needs to be listed explicitly.