I updated the sentence to be more clear. The Access-Control-Allow-Credentials header only needs to be present on the non-preflight response (the actual response). Cookies are only sent in the actual response. If the Access-Control-Allow-Credentials header is also present in the preflight response then cookies will still not be sent because it's the preflight response. Cookies are only sent in the non-preflight actual response.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
"The Access-Control-Allow-Credentials header be present on both the preflight and actual request ..."
But according your code, 'Access-Control-Allow-Credentials' header Only be present on actual request, I am confusing.
I updated the sentence to be more clear. The
Access-Control-Allow-Credentialsheader only needs to be present on the non-preflight response (the actual response). Cookies are only sent in the actual response. If theAccess-Control-Allow-Credentialsheader is also present in the preflight response then cookies will still not be sent because it's the preflight response. Cookies are only sent in the non-preflight actual response.