HTTPListener "credentials flag" lie

Question

I'm getting the error: "Wildcards cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true." when trying to access a c# httplistener program from a javascript socket.io webpage.

what I don't understand is I have the following code setting access control allow credentials to FALSE:

                // Note: The GetContext method blocks while waiting for a request. 
                HttpListenerContext context = listener.GetContext();
                UpdateListbox(PluginCore.listMain, "HTTP Client connected", true);
                HttpListenerRequest request = context.Request;
                // Obtain a response object.
                HttpListenerResponse response = context.Response;
                response.AddHeader("Access-Control-Allow-Credentials", "false");
                response.AddHeader("Access-Control-Allow-Origin", "*");
                response.AddHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");

                // Construct a response. 
                string responseString = "Hello world!";
                byte[] buffer = System.Text.Encoding.UTF8.GetBytes(responseString);
                // Get a response stream and write the response to it.
                response.ContentLength64 = buffer.Length;
                System.IO.Stream output = response.OutputStream;
                output.Write(buffer, 0, buffer.Length);
                // You must close the output stream.
                output.Close();

It makes no sense to me. Can anybody point out what i'm doing wrong?

Answer 1

The XmlHttpRequest sent from JavaScript should not have the withCredentials = true; OR the response should not send the Access-Control-Allow-Credentials header or its value should be true in order for the browser to actually send the response back. This is due to security constraints in CORS. https://developer.mozilla.org/en/docs/HTTP/Access_control_CORS#Requests_with_credentials