Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'

I have a server running and I cannot connect to it form my local html file on my mac.


Failed to load http://file/ The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'null' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.


var app = require('express')();
var server = app.listen(8080);
var cors = require('cors');

app.options('*', cors());
var io = require('').listen(server);


// think this is redudant

Local HTML file (no local server running it)

  <script src=""></script>

  <script src="../"></script>
    // Create SocketIO instance, connect

    // var socket = new io.Socket();
    var socket = io();

    //var socket = io('', { transport : ['websocket'] });

    // Add a connect listener
    socket.on('connect',function() {
      console.log('Client has connected to the server!');
    // Add a connect listener
    socket.on('message',function(data) {
      console.log('Received a message from the server!',data);
    // Add a disconnect listener
    socket.on('disconnect',function() {
      console.log('The client has disconnected!');

    // Sends a message to the server via sockets
    function sendMessageToServer(message) {
  <div id="date"></div>
  <textarea id="text"></textarea>

2 answers

  • answered 2018-02-21 07:01 Tzook Bar Noy

    I had a lot of pain with CORS

    but you should set a specific domain and it will help you a lot.

    var cors = require('cors')
    var app = express()
    var corsOptions = {
      origin: function (origin, callback) {
        if (any_logic_you_want) {
          //this is not tested, just copied from npm cors docs
          callback(null, true)
        } else {
          callback(new Error('Not allowed by CORS'))

  • answered 2018-02-21 07:01 Tomasz

    According to MDN you have Access-Control-Allow-Credentials header set to include which requires a server to specify that this domain can access cookies etc. - which makes sense - you don't want to send cookies or credentials to just any site.

    If you only have an HTML file that's is not hosted anywhere all you can do is disable credentials, so they are not sent. I've looked on the internet and I think you can set it like:

    var socket = io({
      extraHeaders: {
        'Access-Control-Allow-Credentials': 'omit'

    Alternatively, you could just disable CORS in a browser, but of course, it's last resort technique which opens yourself to security issues.