{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • General
    • Edge/API Management
    • Developer Portal
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Analytics
    • Events
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Edge/API Management /
avatar image
2
Question by Venkatesh · Jun 08, 2015 at 03:41 PM · 33k Views headerscorsassignmessage

CORS Error : header contains multiple values '*, *', but only one is allowed

Hi All,

I am getting "The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed." type of error when requesting an API via ApiGee.

I have added an ApiGee policy of AssignMessage,

<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">

<DisplayName>Add CORS</DisplayName>

<FaultRules/>

<Properties/>

<Add>

<Headers>

<Header name="Access-Control-Allow-Origin"> * </Header>

</Headers>

</Add>

<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

<AssignTo createNew="false" transport="http" type="response"/>

</AssignMessage>

and having PreFlow Response as,

<PreFlow name="PreFlow">

<Request/>

<Response>

<Step>

<Name>add-cors</Name>

</Step>

</Response>

</PreFlow>

Am I missing anything? please help me out :(

@Michael Malloy

@Gaurav Vishwas Joshi

@Dave Newman

@Barahalikar Siddharth

@Maruti Chand

@mukundha@apigee.com

@Hasan Otuome

@Scott Ganyo

@Mohsen Azimi

@all

Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

1 Answer

· Add your answer
  • Sort: 
avatar image
4
Best Answer

Answer by Carlos Eberhardt · Jun 08, 2015 at 03:47 PM

Instead of using Add to set the Access-Control-Allow-Origin header, use Set. Since headers can support multiple values, Add will add one, rather than just setting the existing. Set will ensure that if there is already a header there you aren't doubling it up.

Comment
Add comment Show 6 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Venkatesh · Jun 08, 2015 at 03:52 PM 0
Link

Wow........ Thank you so much, Carlos :) It started to work :)

avatar image Anil Sagar @ Google ♦♦   · Feb 25, 2016 at 09:55 AM 0
Link

Thank you @Carlos Eberhardt , I was just looking for same & came across this post.

avatar image Kd Ford · Oct 13, 2016 at 08:07 PM 0
Link

This is not working for me. I'm experiencing the same issue where I get "*, *" in the CORS headers, like below. My policy is like this, using SET..

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
    <DisplayName>Add CORS</DisplayName>
    <FaultRules/>
    <Properties/>
    <Set>
        <Headers>
            <Header name="Access-Control-Allow-Origin">*</Header>
            <Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept</Header>
            <Header name="Access-Control-Max-Age">3628800</Header>
            <Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
        </Headers>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>

Access-Control-Allow-Headers: origin, x-requested-with, accept
Access-Control-Allow-Methods: GET, PUT, POST, DELETE
Access-Control-Allow-Origin: *, *
Access-Control-Expose-Headers: X-Mashery-Error-Code, X-Mashery-Responder
Access-Control-Max-Age: 3628800
avatar image Kd Ford · Oct 13, 2016 at 08:11 PM 0
Link

Actually this is odd.. I went as far as to add an assign message policy that REMOVEd all the CORS headers and then SET them, because I thought they might be coming in from the backend service.. It is still broken in Chrome, which reports it as "*, *", but when I curl it I see below

Any Thoughs?

< HTTP/1.1 200 OK
< Date: Thu, 13 Oct 2016 20:09:52 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Mashery-Responder: prod-j-worker-atl-04.mashery.com
< X-Powered-By: PHP/5.5.9-1ubuntu4.14
< Cache-Control: max-age=5150
< Vary: Accept-Encoding
< Server: Mashery Proxy
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: origin, x-requested-with, accept
< Access-Control-Max-Age: 3628800
< Access-Control-Allow-Methods: GET, PUT, POST, DELETE

avatar image Kd Ford · Oct 13, 2016 at 08:17 PM 0
Link

Now it gets stranger. Works in Firefox. So what is Chrome doing?

avatar image Carlos Eberhardt ♦ Kd Ford · Oct 13, 2016 at 08:38 PM 0
Link

Weird. Try incognito mode, disable extensions, etc? Maybe something is messing with it.

Your answer

Hint: You can notify a user about this post by typing @username

Up to 5 attachments (including images) can be used with a maximum of 5.0 MB each and 25.0 MB total.

Follow this Question

Answers Answers and Comments

23 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Question about accessing all Set-Cookie values from within javascript 4 Answers

Add usable CORS policy in my API proxy when using OAuth 2.0 4 Answers

Comma allows converts to hex %2C causing erro 1 Answer

Issue with custom Content Type 1 Answer

How to deal with CORS when API key is in header? 2 Answers

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2019 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • General
  • Edge/API Management
  • Developer Portal
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Analytics
  • Events
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Members
  • Badges