I have a simple PHP script that I am attempting a cross-domain CORS request:
<?php header("Access-Control-Allow-Origin: *"); header("Access-Control-Allow-Headers: *"); ...
Yet I still get the error:
Request header field
X-Requested-With
is not allowed byAccess-Control-Allow-Headers
Anything I’m missing?
Advertisement
Answer
Access-Control-Allow-Headers
does not allow *
as accepted value, see the Mozilla Documentation here.
Instead of the asterisk, you should send the accepted headers (first X-Requested-With
as the error says).
Update:
*
is now accepted is Access-Control-Allow-Headers
.
According to MDN Web Docs 2021:
The value
*
only counts as a special wildcard value for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal header name*
without special semantics. Note that the Authorization header can’t be wildcarded and always needs to be listed explicitly.