'Access-Control-Allow-Origin' must not be the wildcard'*'

I call b.com "s API across domains under a.com:

return HttpService.ajax({
    url: config.URL_GET_GIFT,
    type: "GET",
    dataType: "json",
    data: params,
    xhrFields:{
        withCredentials:true
    }
});

then configure nginx to

under b.com
-sharp
map $http_origin $other_domain {
    default  0;
    "~http://m.jd.id" http://m.jd.id;
    "~https://m.jd.id" https://m.jd.id;
}

server {
    listen 80;
    server_name vip.jd.id;

    
    location / {
        proxy_pass http://127.0.0.1:8100/;

        proxy_set_header Cookie $http_cookie;
        proxy_cookie_domain localhost nginx_server;
        add_header Access-Control-Allow-Origin http://a.com;
        add_header Access-Control-Allow-Headers Content-Type;
        add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
        add_header Access-Control-Allow-Credentials true;
    }
}

nginx in a.com is configured as
server {

listen 80;
server_name a.id;

location / {
    proxy_pass http://127.0.0.1:8097/;
}

}

at the same time, the b.com background is configured:

corsConfiguration.addAllowedOrigin("http://a.com/");

but there was an error in the console:

The value of the "Access-Control-Allow-Origin" header in the response must not be the wildcard "*" when the request"s credentials mode is "include". Origin "http://a.com" is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

could you tell me how to solve the problem?

Sep.08,2021

Cross-domain if you want to bring cookie, Access-Control-Allow-Origin , you cannot set it to * . You need to specify a specific domain name .
in other words:
Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: * cannot be used at the same time.


The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard' * 'when the request's credentials mode is' include'. Origin' http://a.com' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

do not write clearly, do not allow *, then you can write a specific domain name.


Access-Control-Allow-Origin should be written as the specified domain name, not *

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e906e1-12d6.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e906e1-12d6.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?