CORS Error : header contains multiple values '*, *', but only one is allowed

Not applicable

Hi All,

I am getting "The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed." type of error when requesting an API via ApiGee.

I have added an ApiGee policy of AssignMessage,

<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">

<DisplayName>Add CORS</DisplayName>

<FaultRules/>

<Properties/>

<Add>

<Headers>

<Header name="Access-Control-Allow-Origin"> * </Header>

</Headers>

</Add>

<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

<AssignTo createNew="false" transport="http" type="response"/>

</AssignMessage>

and having PreFlow Response as,

<PreFlow name="PreFlow">

<Request/>

<Response>

<Step>

<Name>add-cors</Name>

</Step>

</Response>

</PreFlow>

Am I missing anything? please help me out 😞

@Michael Malloy

@Gaurav Vishwas Joshi

@Dave Newman

@Barahalikar Siddharth

@Maruti Chand

@mukundha@apigee.com

@Hasan Otuome

@Scott Ganyo

@Mohsen Azimi

@all

Solved Solved
3 11 128K
1 ACCEPTED SOLUTION

Instead of using Add to set the Access-Control-Allow-Origin header, use Set. Since headers can support multiple values, Add will add one, rather than just setting the existing. Set will ensure that if there is already a header there you aren't doubling it up.

View solution in original post

11 REPLIES 11

Instead of using Add to set the Access-Control-Allow-Origin header, use Set. Since headers can support multiple values, Add will add one, rather than just setting the existing. Set will ensure that if there is already a header there you aren't doubling it up.

Wow........ Thank you so much, Carlos 🙂 It started to work 🙂

Thank you @Carlos Eberhardt , I was just looking for same & came across this post.

This is not working for me. I'm experiencing the same issue where I get "*, *" in the CORS headers, like below. My policy is like this, using SET..

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
    <DisplayName>Add CORS</DisplayName>
    <FaultRules/>
    <Properties/>
    <Set>
        <Headers>
            <Header name="Access-Control-Allow-Origin">*</Header>
            <Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept</Header>
            <Header name="Access-Control-Max-Age">3628800</Header>
            <Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
        </Headers>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>

Access-Control-Allow-Headers: origin, x-requested-with, accept
Access-Control-Allow-Methods: GET, PUT, POST, DELETE
Access-Control-Allow-Origin: *, *
Access-Control-Expose-Headers: X-Mashery-Error-Code, X-Mashery-Responder
Access-Control-Max-Age: 3628800

Actually this is odd.. I went as far as to add an assign message policy that REMOVEd all the CORS headers and then SET them, because I thought they might be coming in from the backend service.. It is still broken in Chrome, which reports it as "*, *", but when I curl it I see below

Any Thoughs?

< HTTP/1.1 200 OK
< Date: Thu, 13 Oct 2016 20:09:52 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Mashery-Responder: prod-j-worker-atl-04.mashery.com
< X-Powered-By: PHP/5.5.9-1ubuntu4.14
< Cache-Control: max-age=5150
< Vary: Accept-Encoding
< Server: Mashery Proxy
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: origin, x-requested-with, accept
< Access-Control-Max-Age: 3628800
< Access-Control-Allow-Methods: GET, PUT, POST, DELETE

Now it gets stranger. Works in Firefox. So what is Chrome doing?

Weird. Try incognito mode, disable extensions, etc? Maybe something is messing with it.

hi Carlos Eberhardt / @venkatesh can you please give an example on what you meant by Instead of using Add to set the Access-Control-Allow-Origin header, use Set.

figured it out - blend and blindness

Tks Carlos! Working for me!

jovaniac
Participant II
hey guys, I implemented something like that and it served me correctly.
In the proxy enpoint we must place in the preflow the next call of a Flowcallout to invoke a sharedflow which will have the policy of CORS

<PreFlow name="PreFlow">
<Request>
<Step>
<Name>FC-CORS</Name>
</Step>
<Step>
<Name>FC-OAuth2</Name>
</Step>
</Request>
<Response/>
</PreFlow>

Definition of flowcallout, where we invoke the sharedflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout async="false" continueOnError="false" enabled="true" name="FC-CORS">
<DisplayName>FC-CORS</DisplayName>
<FaultRules/>
<Properties/>
<SharedFlowBundle>OPTIONS-CORS-Headers-Response</SharedFlowBundle>
</FlowCallout>

definition of sharedflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SharedFlow name="default">
<Step>
<Name>OPTIONS-CORS-Headers-Response</Name>
<Condition>request.verb == "OPTIONS"</Condition>
</Step>
</SharedFlow>

definition of the policy of raisefull, where we will indicate the headers of Access-Control-Allow-Origin with * that will allow the invocation from our browser

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RaiseFault async="false" continueOnError="false" enabled="true" name="OPTIONS-CORS-Headers-Response">
<DisplayName>OPTIONS CORS Headers Response</DisplayName>
<Properties/>
<FaultResponse>
<Set>
<Headers>
<Header name="Access-Control-Allow-Origin">*</Header>
<Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept, ucsb-api-key, ucsb-api-version, authorization</Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
</Headers>
<Payload contentType="text/plain"/>
<StatusCode>200</StatusCode>
<ReasonPhrase>OK</ReasonPhrase>
</Set>
</FaultResponse>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

angular:

const httpOptions2= { headers:newHttpHeaders({ 'Authorization':'Bearer token' }) };

obtenerCatalogos():Observable<any> { return this.httpClient.get<any>(uriApigee+'endpointapigee',httpOptions2); }

Regars