This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

CORS Error : header contains multiple values '*, *', but only one is allowed

Posted on 06-08-2015 08:41 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi All,

I am getting "The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed." type of error when requesting an API via ApiGee.

I have added an ApiGee policy of AssignMessage,

<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">

<DisplayName>Add CORS</DisplayName>

<FaultRules/>

<Properties/>

<Add>

<Headers>

<Header name="Access-Control-Allow-Origin"> * </Header>

</Headers>

</Add>

<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

<AssignTo createNew="false" transport="http" type="response"/>

</AssignMessage>

and having PreFlow Response as,

<PreFlow name="PreFlow">

<Request/>

<Response>

<Step>

<Name>add-cors</Name>

</Step>

</Response>

</PreFlow>

Am I missing anything? please help me out 😞

@Michael Malloy

@Gaurav Vishwas Joshi

@Dave Newman

@Barahalikar Siddharth

@Maruti Chand

@mukundha@apigee.com

@Hasan Otuome

@Scott Ganyo

@Mohsen Azimi

@all

Solved Solved
3 11 135K
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ceber
Staff
Reply posted on --/--/---- --:-- AM

Instead of using Add to set the Access-Control-Allow-Origin header, use Set. Since headers can support multiple values, Add will add one, rather than just setting the existing. Set will ensure that if there is already a header there you aren't doubling it up.

View solution in original post

Jump to Solution
11 REPLIES 11

Posted on --/--/---- --:-- AM
ceber
Staff
Reply posted on --/--/---- --:-- AM

Instead of using Add to set the Access-Control-Allow-Origin header, use Set. Since headers can support multiple values, Add will add one, rather than just setting the existing. Set will ensure that if there is already a header there you aren't doubling it up.

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to ceber
Reply posted on --/--/---- --:-- AM

Wow........ Thank you so much, Carlos 🙂 It started to work 🙂

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
anilsr
Staff
In response to ceber
Reply posted on --/--/---- --:-- AM

Thank you @Carlos Eberhardt , I was just looking for same & came across this post.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to ceber
Reply posted on --/--/---- --:-- AM

This is not working for me. I'm experiencing the same issue where I get "*, *" in the CORS headers, like below. My policy is like this, using SET..

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
    <DisplayName>Add CORS</DisplayName>
    <FaultRules/>
    <Properties/>
    <Set>
        <Headers>
            <Header name="Access-Control-Allow-Origin">*</Header>
            <Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept</Header>
            <Header name="Access-Control-Max-Age">3628800</Header>
            <Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
        </Headers>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>

Access-Control-Allow-Headers: origin, x-requested-with, accept
Access-Control-Allow-Methods: GET, PUT, POST, DELETE
Access-Control-Allow-Origin: *, *
Access-Control-Expose-Headers: X-Mashery-Error-Code, X-Mashery-Responder
Access-Control-Max-Age: 3628800
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to ceber
Reply posted on --/--/---- --:-- AM

Actually this is odd.. I went as far as to add an assign message policy that REMOVEd all the CORS headers and then SET them, because I thought they might be coming in from the backend service.. It is still broken in Chrome, which reports it as "*, *", but when I curl it I see below

Any Thoughs?

< HTTP/1.1 200 OK
< Date: Thu, 13 Oct 2016 20:09:52 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Mashery-Responder: prod-j-worker-atl-04.mashery.com
< X-Powered-By: PHP/5.5.9-1ubuntu4.14
< Cache-Control: max-age=5150
< Vary: Accept-Encoding
< Server: Mashery Proxy
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: origin, x-requested-with, accept
< Access-Control-Max-Age: 3628800
< Access-Control-Allow-Methods: GET, PUT, POST, DELETE
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to ceber
Reply posted on --/--/---- --:-- AM

Now it gets stranger. Works in Firefox. So what is Chrome doing?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ceber
Staff
In response to
Reply posted on --/--/---- --:-- AM

Weird. Try incognito mode, disable extensions, etc? Maybe something is messing with it.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
surajitkar
New Member
In response to ceber
Reply posted on --/--/---- --:-- AM

hi Carlos Eberhardt / @venkatesh can you please give an example on what you meant by Instead of using Add to set the Access-Control-Allow-Origin header, use Set.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
surajitkar
New Member
In response to surajitkar
Reply posted on --/--/---- --:-- AM

figured it out - blend and blindness

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
paulo-jose-da-s
New Member
In response to ceber
Reply posted on --/--/---- --:-- AM

Tks Carlos! Working for me!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jovaniac
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM 
hey guys, I implemented something like that and it served me correctly.

In the proxy enpoint we must place in the preflow the next call of a Flowcallout to invoke a sharedflow which will have the policy of CORS

<PreFlow name="PreFlow">
<Request>
<Step>
<Name>FC-CORS</Name>
</Step>
<Step>
<Name>FC-OAuth2</Name>
</Step>
</Request>
<Response/>
</PreFlow>

Definition of flowcallout, where we invoke the sharedflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout async="false" continueOnError="false" enabled="true" name="FC-CORS">
<DisplayName>FC-CORS</DisplayName>
<FaultRules/>
<Properties/>
<SharedFlowBundle>OPTIONS-CORS-Headers-Response</SharedFlowBundle>
</FlowCallout>

definition of sharedflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SharedFlow name="default">
<Step>
<Name>OPTIONS-CORS-Headers-Response</Name>
<Condition>request.verb == "OPTIONS"</Condition>
</Step>
</SharedFlow>

definition of the policy of raisefull, where we will indicate the headers of Access-Control-Allow-Origin with * that will allow the invocation from our browser

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RaiseFault async="false" continueOnError="false" enabled="true" name="OPTIONS-CORS-Headers-Response">
<DisplayName>OPTIONS CORS Headers Response</DisplayName>
<Properties/>
<FaultResponse>
<Set>
<Headers>
<Header name="Access-Control-Allow-Origin">*</Header>
<Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept, ucsb-api-key, ucsb-api-version, authorization</Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
</Headers>
<Payload contentType="text/plain"/>
<StatusCode>200</StatusCode>
<ReasonPhrase>OK</ReasonPhrase>
</Set>
</FaultResponse>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

angular:

const httpOptions2= { headers:newHttpHeaders({ 'Authorization':'Bearer token' }) };

obtenerCatalogos():Observable<any> { return this.httpClient.get<any>(uriApigee+'endpointapigee',httpOptions2); }

Regars

Jump to Solution
0 Likes
Top Solution Authors
View all

Type a product name