Access-Control-Allow-Origin '*' not allowed/working with Apache2

Question

I'm trying to connect to hood.ie via Javascript:

hoodie = new Hoodie('http://example.com:6001');

But then get an error: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'xxx' is therefore not allowed access.

With:

hoodie = new Hoodie('http://example.com');

Gives 404...

I can connect to localhost:6001 and :6002 for public/admin, so ports are working (also for external example.com )

But in devconsole I get:

OPTIONS: http://example.com:6001/_api/_session A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://example.com' is therefore not allowed access. `

I have configured Apache2:

 <VirtualHost *:80>
    DocumentRoot /var/www
    Header set Access-Control-Allow-Origin *
    Header add Access-Control-Allow-Headers "origin, content-type"
    Header always set Access-Control-Allow-Methods "POST, GET, PUT, DELETE, OPTIONS"
    Header set Access-Control-Allow-Credentials "false"
    <Directory />
            Options FollowSymLinks
            AllowOverride None
    </Directory>
    <Directory /var/www/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
            Header set Access-Control-Allow-Origin *
            Header set Access-Control-Allow-Credentials "false"
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
    </Directory>
     ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

And tried an extra:

<VirtualHost *:6001>
        Header set Access-Control-Allow-Origin *
        Header set Access-Control-Allow-Credentials "false"
</VirtualHost>

Tried:

Header set Access-Control-Allow-Credentials false
Header set Access-Control-Allow-Credentials 'false'
Header set Access-Control-Allow-Credentials true 
...etc

Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Origin "example.com"

Tried all possible variations, but still get the same error...

But I'm wondering if I have to set it up in a different place, because the www directory of the :6001 service, is somewhere in my home folder, not in var/www, but still works, I have no clue how apache handles that, or knows about the location, or if hood.ie starts its own webservice.

Answer 1

I believe it should be just:

Header set Access-Control-Allow-Origin "*"

without the other Access-Control-* flags as described on enable-cors.org.

Answer 2

I would guess that "Hoodie" is using a XMLHttpRequest that sends along cookies (withCredentials = "true"), and thus your browser is rejecting the response from the server since it has a wildcard in the allowed origin header.