CORS Error : header contains multiple values '*, *', but only one is allowed
Hi All,
I am getting "The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed." type of error when requesting an API via ApiGee.
I have added an ApiGee policy of AssignMessage,
<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
<DisplayName>Add CORS</DisplayName>
<FaultRules/>
<Properties/>
<Add>
<Headers>
<Header name="Access-Control-Allow-Origin"> * </Header>
</Headers>
</Add>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>
and having PreFlow Response as,
<PreFlow name="PreFlow">
<Request/>
<Response>
<Step>
<Name>add-cors</Name>
</Step>
</Response>
</PreFlow>
Am I missing anything? please help me out :(
@Michael Malloy
@Gaurav Vishwas Joshi
@Dave Newman
@Barahalikar Siddharth
@Maruti Chand
@Hasan Otuome
@Scott Ganyo
@Mohsen Azimi
@all
Best Answer
Instead of using Add to set the Access-Control-Allow-Origin header, use Set. Since headers can support multiple values, Add will add one, rather than just setting the existing. Set will ensure that if there is already a header there you aren't doubling it up.
Wow........ Thank you so much, Carlos :) It started to work :)
Thank you @Carlos Eberhardt , I was just looking for same & came across this post.
This is not working for me. I'm experiencing the same issue where I get "*, *" in the CORS headers, like below. My policy is like this, using SET..
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
<DisplayName>Add CORS</DisplayName>
<FaultRules/>
<Properties/>
<Set>
<Headers>
<Header name="Access-Control-Allow-Origin">*</Header>
<Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept</Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
</Headers>
</Set>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>
Access-Control-Allow-Headers: origin, x-requested-with, accept Access-Control-Allow-Methods: GET, PUT, POST, DELETE Access-Control-Allow-Origin: *, * Access-Control-Expose-Headers: X-Mashery-Error-Code, X-Mashery-Responder Access-Control-Max-Age: 3628800
Actually this is odd.. I went as far as to add an assign message policy that REMOVEd all the CORS headers and then SET them, because I thought they might be coming in from the backend service.. It is still broken in Chrome, which reports it as "*, *", but when I curl it I see below
Any Thoughs?
< HTTP/1.1 200 OK < Date: Thu, 13 Oct 2016 20:09:52 GMT < Content-Type: application/json;charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < X-Mashery-Responder: prod-j-worker-atl-04.mashery.com < X-Powered-By: PHP/5.5.9-1ubuntu4.14 < Cache-Control: max-age=5150 < Vary: Accept-Encoding < Server: Mashery Proxy < Access-Control-Allow-Origin: * < Access-Control-Allow-Headers: origin, x-requested-with, accept < Access-Control-Max-Age: 3628800 < Access-Control-Allow-Methods: GET, PUT, POST, DELETE
Now it gets stranger. Works in Firefox. So what is Chrome doing?
Weird. Try incognito mode, disable extensions, etc? Maybe something is messing with it.
