Description
Access-Control-Allow-Origin is set to an asterisk (*) in a cross-origin resource sharing (CORS) rule for an Object Storage Service (OSS) bucket and Access-Control-Allow-Credentials is set to true. The following error is returned for a cross-origin request for an object in the bucket:
Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.Causes
When Access-Control-Allow-Credentials is set to true, Access-Control-Allow-Origin cannot be set to an asterisk (*). This prevents access to a domain from all other domains and leaks of credentials such as cookies, Authorization header information, and other sensitive information.
Solutions
If you want cross-origin requests to include credentials, change the Access-Control-Allow-Origin settings from
*to specific origin URLs, such ashttps://example.com. For more information, see CORS.If you do not want cross-origin requests to include credentials, set
xhr.withCredentialsto false and make sureAccess-Control-Allow-Credentialsis set to false on the server side.