Article - CS312490
Cross-Origin Resource Sharing (CORS) error - " The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request credential is 'include' " in the ThingWorx
Modified: 18-Sep-2024
Applies To
- ThingWorx Platform 8.3 SP7 to 9.1
Description
- Following error that is not equal to the supplied origin returned when trying to access ThingWorx API using the web browser
Access to XMLHttpRequest at ' URL ' (redirected from 'URL') from origin 'URL' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value
- How to configure CORS for ThingWorx
- CORS configurations have been placed into Tomcat's web.xml (<Tomcat Home>\conf\web.xml)
- cors.allowed.origin parameter is configured as below
<init-param> <param-name>cors.allowed.origins</param-name> <param-value>*</param-value> </init-param>
- Error on Chrome Dev tools Console (F12):
Access to XMLHttpRequest at '<hostname>/<ThingworxAPI>/<appkey>' from origin 'null' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
From origin 'null' has been blocked by CORS policy: Request header field access-control-allow-origin is not allowed by Access-Control-Allow-Headers in preflight response.
This is a printer-friendly version of Article 312490 and may be out of date. For the latest version click CS312490