посылаю такой запрос
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open('GET', 'https://time100.ru/api.php?type=tu&t=1535246903510', true);
xhr.setRequestHeader('Content-Type', 'application/x-javascript');
// 3. Отсылаем запрос
xhr.send();
xhr.responseText
ответ такой
Failed to load [url]https://time100.ru/api.php?type=tu&t=1535246903510:[/url] Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'https://learn.javascript.ru' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
что я делаю не так?