Access-Control-Allow-Origin "*" not allowed when credentials flag is true

I have an ajax request which connects to http://example.com:6001.

However, it will work only when I open http://example.com:6001 in the browser, which loads index.html (which is run though Node.js on port 6001). This works fine and ajax returns:

XHR finished loading: http://example.com:6001/_api/

However, when I open index.html from my Apache server on :80, the ajax call will return:

XMLHttpRequest cannot load http://example.com/_api/?xxx. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://example.com' is therefore not allowed access.

I’m not sure whether this error is returned by CouchDB or by Apache.

I’ve tried some variations of the following in /etc/apache2/sites-available/000-default.conf of Apache:

<VirtualHost *:6001>
        Header set Access-Control-Allow-Origin *
        Header set Access-Control-Allow-Credentials "false"
</VirtualHost>

And in /etc/couchdb/local.ini of Couch DB (from the Cross-Origin Resource Sharing documentation):

[httpd]
enable_cors = true

[cors]
origins = *
credentials = false

The last one makes the most sense because it seems to point out the credentials flag..

It shouldn’t be script as well, because it works within the same “port-domain” (i.e., :6001).

To add to this answer, the request header you are looking for is "Origin", which you can get with req.headers["Origin"]. in your node application you may query this request header, and see if the host in there is valid, then return it. with a response header "Access-Control-Allow-Origin: " + req.headers["Origin"]