Access-Control-Allow-Origin issue

[alan-bradbury-hollaroo]

I have the following express app setup:

const app = express();
app.use(cors({ credentials: true, origin: 'https://localhost:8080' }));

And make a request from https://localhost:8080 with Access-Control-Allow-Credentials set to true and get the following error.

Access to fetch at 'https://localhost:3000/xxxx' from origin 'https://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

Upon looking at the pre-flight request the Access-Control-Allow-Origin has indeed been returned as * rather than https://localhost:8080

I can see my cors settings are being picked up as I've tried changing the methods option and can see that being reflected.

[dougwilson]

Hello, and sorry you are having trouble. I'm not sure how that could be happening, as you can view our source code and see that the only place this module returns that header as '*' is when the origin options is blank or set to '*' (https://github.com/expressjs/cors/blob/master/lib/index.js#L44). In order to assist further, we'll need your complete app such that we can run it and reproduce the issue, as there must be something else causing that header to be returned as '*' that is not clear from what has been provided in the report. Alternatively you are always welcome to open a PR that makes the changes necessary to resolve your issue.

[Kylir]

Hello!
I had the exact same issue: An ExpressJS API, cors configured and the OPTIONS request was successful, but the POST just after was failing.
It took me a while to realise that I had another call to cors deeper in my code for that POST that was overwriting the headers.
It's worth searching for cors in your project if you have this issue.