Hi guys.
I’m having issues when making cors request to a json object that I have in my bucket.
my cors.json is like this:
[
{
"origin": ["https://www.mysite.com"],
"method": ["GET","OPTIONS"],
"responseHeader": ["x-requested-with"],
"maxAgeSeconds": 1
}
]
IN www.mysite.com i have the following code js code:
url = ‘https://firebasestorage.googleapis.com/v0/b//o/1.json’;
x = new XMLHttpRequest();
x.open(‘get’,url);
x.withCredentials = true;
x.setRequestHeader(‘X-Requested-With’,‘xhr’);
x.send();
I get the following error from CORS:
has been blocked by CORS policy: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
Where am I wrong?
By the way, this is the prelight request sent:
OPTIONS //1.json?test123 HTTP/2
Host:
Accept: /
Access-Control-Request-Method: GET
Access-Control-Request-Headers: x-requested-with
Origin:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en;q=0.8
Priority: u=1, i
and this is the response:
HTTP/2 200 OK
X-Guploader-Uploadid: AAwnv3IygEy8aiiZNYettOHhJz-YE-efmv3bWMtRx8-_IoToyK6uMda2xRRty8P26UeLIfaV
Access-Control-Allow-Origin:
Access-Control-Max-Age: 1
Access-Control-Allow-Methods: GET,OPTIONS
Access-Control-Allow-Headers: x-requested-with
Vary: Origin
Date: Thu, 02 Oct 2025 22:26:31 GMT
Expires: Thu, 02 Oct 2025 22:26:31 GMT
Cache-Control: private, max-age=0
Content-Length: 0
Server: UploadServer
Content-Type: text/html; charset=UTF-8
Alt-Svc: h3=“:443”; ma=2592000,h3-29=“:443”; ma=2592000
why google storage isn’t including access-control-allow-credentials:true in the prelight request response?