anyone here have a good grasp on CORS? because I d...
# general
anyone here have a good grasp on CORS? because I don’t. 😅
Copy code
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <>. (Reason: header 'authorization' is not allowed according to header 'Access-Control-Allow-Headers' from CORS preflight response).
the preflight request is sending back the header
access-control-allow-headers: *
. so I don’t understand why it says the ‘authorization’ header is not allowed
The value “`*`” only counts as a special wildcard value for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal header name “`*`” without special semantics. Note that the 
 header can’t be wildcarded and always needs to be listed explicitly.
ahh ok! got it
Don’t you also need to provide the
in the server CORS policy to allow reading responses with credentials? If the above suggestion from @Omi Chowdhury alone doesn’t work, you might look at that.
Y’know its weird everything I read suggests
is required…but I don’t see it coming back on my own API, and it all works … 🤔