The Access-Control-Allow-Origin header contains multiple values

Question

I m using AngularJS  http on the client side to access an endpoint of a ASP NET Web API application on the server side  As the client is hosted on a different domain as the server  I need CORS  It works for  http post url  data   But as soon as I authenticate the user and make a request via  http get url   I get the message   The  Access-Control-Allow-Origin  header contains multiple values  http   127 0 0 1 9000  http   127 0 0 1 9000   but only one is allowed  Origin  http   127 0 0 1 9000  is therefore not allowed access    Fiddler shows me that there are indeed two header entries in the get request after a successful options request  What and where am I doing something wrong   Update  When I use jQuery   get instead of  http get  the same error message appears  So this seems no issue with AngularJS  But where is it wrong

User · Answer

I have faced the same issue and this is what I did to resolve it:

In the WebApi service, inside Global.asax I have written the following code:

Sub Application_BeginRequest()
        Dim currentRequest = HttpContext.Current.Request
        Dim currentResponse = HttpContext.Current.Response

        Dim currentOriginValue As String = String.Empty
        Dim currentHostValue As String = String.Empty

        Dim currentRequestOrigin = currentRequest.Headers("Origin")
        Dim currentRequestHost = currentRequest.Headers("Host")

        Dim currentRequestHeaders = currentRequest.Headers("Access-Control-Request-Headers")
        Dim currentRequestMethod = currentRequest.Headers("Access-Control-Request-Method")

        If currentRequestOrigin IsNot Nothing Then
            currentOriginValue = currentRequestOrigin
        End If

        If currentRequest.Path.ToLower().IndexOf("token") > -1 Or Request.HttpMethod = "OPTIONS" Then
            currentResponse.Headers.Remove("Access-Control-Allow-Origin")
            currentResponse.AppendHeader("Access-Control-Allow-Origin", "*")
        End If

        For Each key In Request.Headers.AllKeys
            If key = "Origin" AndAlso Request.HttpMethod = "OPTIONS" Then
                currentResponse.AppendHeader("Access-Control-Allow-Credentials", "true")
                currentResponse.AppendHeader("Access-Control-Allow-Methods", currentRequestMethod)
                currentResponse.AppendHeader("Access-Control-Allow-Headers", If(currentRequestHeaders, "GET,POST,PUT,DELETE,OPTIONS"))
                currentResponse.StatusCode = 200
                currentResponse.End()
            End If
        Next

    End Sub

Here this code only allows pre-flight and token request to add "Access-Control-Allow-Origin" in the response otherwise I am not adding it.

Here is my blog about the implementation: https://ibhowmick.wordpress.com/2018/09/21/cross-domain-token-based-authentication-with-web-api2-and-jquery-angular-5-angular-6/

User · Answer

This can also happen of course if you ve actually set your Access-Control-Allow-Origin header to have multiple values - For example  a comma separated list of values  which is kind of supported in the RFC but isn t actually supported by most major browsers  Note that the RFC talks about how to allow more than one domain without using     as well    For example  you can get that error in Chrome by using a header like so   Access-Control-Allow-Origin  http   test mysite com  http   test2 mysite com  This was in Chrome Version 64 0 3282 186  Official Build   64-bit   Note that if you re considering this because of a CDN  and you use Akamai  you may want to note that Akamai wont cache on the server if you use  Vary Origin  the way many suggest to solve this problem    You ll probably have to change how your cache key is built  using a  Cache ID Modification  response behavior  More details on this issue in this related StackOverflow question

User · Answer

I too had both OWIN as well as my WebAPI that both apparently needed CORS enabled separately which in turn created the  Access-Control-Allow-Origin  header contains multiple values error   I ended up removing ALL code that enabled CORS and then added the following to the system webServer node of my Web Config    lt httpProtocol gt     lt customHeaders gt       lt add name  Access-Control-Allow-Origin  value  https   stethio azurewebsites net    gt       lt add name  Access-Control-Allow-Methods  value  GET  POST  OPTIONS  PUT  DELETE    gt       lt add name  Access-Control-Allow-Headers  value  Origin  X-Requested-With  Content-Type  Accept  Authorization    gt     lt  customHeaders gt   lt  httpProtocol gt    Doing this satisfied CORS requirements for OWIN  allowing log in  and for WebAPI  allowing API calls   but it created a new problem  an OPTIONS method could not be found during preflight for my API calls   The fix for that was simple--I just needed to remove the following from the handlers node my Web Config    lt remove name  OPTIONSVerbHandler    gt    Hope this helps someone

User · Answer

just had this problem with a nodejs server   here is how i fixed it  i run my node server through a nginx proxy and i set nginx and node to both allow cross domain requests and it didnt like that so i removed it from nginx and left it in node and all was well

User · Answer

Here s another instance similar to the examples above that you may only have one config file define where CORS is  There were two web config files on the IIS server on the path in different directories  and one of them was hidden in the virtual directory  To solve it I deleted the root level config file since the path was using the config file in the virtual directory  Have to choose one or the other   URL called    https   example com foo bar                                              CORS config file in root      virtual directory with another CORS config file           deleted this config             other sites using this

User · Answer

Actually you cannot set multiple headers Access-Control-Allow-Origin  or at least it won t work in all browsers   Instead you can conditionally set an environment variable and then use it in Header directive   SetEnvIf Origin    https    localhost https    a-z    my  base  domain    ORIGIN SUB DOMAIN  1 Header set Access-Control-Allow-Origin     ORIGIN SUB DOMAIN e  env ORIGIN SUB DOMAIN   So in this example the response header will be added only if a request header Origin matches RegExp    https    localhost https    a-z    my  base  domain    it basically means localhost over HTTP or HTTPS and   my base domain over HTTPS    Remember to enable setenvif module   Docs    http   httpd apache org docs 2 2 mod mod setenvif html setenvif http   httpd apache org docs 2 2 mod mod headers html header   BTW  The  e in   ORIGIN SUB DOMAIN e is not a typo  It s how you use environment variable in Header directive

User · Answer

So stupid and simple   This problem occurred for me when having two time Header always set Access-Control-Allow-Origin   inside my Apache config file  Once withing the VirtualHost tags and once inside a Limit tag    lt VirtualHost localhost 80 gt          Header set Access-Control-Allow-Origin             lt Limit OPTIONS gt              Header set Access-Control-Allow-Origin               lt  Limit gt   lt  VirtualHost gt    Removing one entry resolved the issue   I guess in the original post it would have been two times   Header set Access-Control-Allow-Origin   http   127 0 0 1 9000

User · Answer

if you are in IIS you need to activate CORS in web config  then you don t need to enable in App Start WebApiConfig cs Register method  My solution was  commented the lines here      Enable CORS   EnableCorsAttribute cors   new EnableCorsAttribute                   config EnableCors cors     and write in the web config    lt system webServer gt     lt httpProtocol gt     lt customHeaders gt       lt add name  Access-Control-Allow-Origin  value       gt     lt  customHeaders gt   lt  httpProtocol gt

User · Answer

The  Access-Control-Allow-Origin  header contains multiple values when i received this error i spent tons of hours searching solution  for this but nothing works  finally i found solution to this problem which is very simple  when   Access-Control-Allow-Origin  header added more than one time to your response this error occur  check your apache conf or httpd conf  Apache server   server side script  and remove unwanted entry header from these files

User · Answer

Add to Register WebApiConfig  var cors   new EnableCorsAttribute                 config EnableCors cors     Or web config    lt httpProtocol gt   lt customHeaders gt   lt add name  Access-Control-Allow-Origin  value       gt   lt add name  Access-Control-Allow-Headers  value  Content-Type    gt   lt add name  Access-Control-Allow-Methods  value  GET  POST  PUT  DELETE  OPTIONS    gt   lt add name  Access-Control-Allow-Credentials  value  true    gt   lt  customHeaders gt     lt  httpProtocol gt    BUT NOT BOTH

User · Answer

I m using Cors 5 1 0 0  after much headache  I discovered the issue to be duplicated Access-Control-Allow-Origin  amp  Access-Control-Allow-Header headers from the server  Removed config EnableCors   from the WebApiConfig cs file and just set the  EnableCors               attribute on the Controller class  Check this article for more detail

User · Answer

for those who are using IIS with php  on IIS it server side update web config file it root directory  wwwroot  and add this    lt  xml version  1 0  encoding  UTF-8   gt   lt configuration gt       lt system webServer gt           lt directoryBrowse enabled  true    gt           lt httpProtocol gt               lt customHeaders gt                   lt add name  Control-Allow-Origin  value      gt               lt  customHeaders gt           lt  httpProtocol gt       lt  system webServer gt   lt  configuration gt    after that restart IIS server    type IISReset  in RUN  and enter

User · Answer

Apache Server   I spend the same  but it was because I had no quotation marks     the asterisk in my file that provided access to the server  eg   htaccess      Header add Access-Control-Allow-Origin     Header add Access-Control-Allow-Origin        You may also have a file   htaccess  in a folder with another   htaccess  out  eg      -  htaccess  - public html    htaccess  problem here    In your case instead of     asterisk would be the ip  http   127 0 0 1 9000  server that you give permission to serve data   ASP NET   Check that there is no  Access-Control-Allow-Origin  duplicate in your code   Developer Tools   With Chrome you can verify your request headers  Press the F12 key and go to the  Network  tab  now run the AJAX request and will appear on the list  click and give all the information is there

User · Answer

We ran into this problem because we had set up CORS according to best practice  e g  http   www asp net web-api overview security enabling-cross-origin-requests-in-web-api  AND ALSO had a custom header  lt add name  Access-Control-Allow-Origin  value      gt  in web config     Remove the web config entry  and all is well     Contrary to  mww s answer  we still have EnableCors   in the WebApiConfig cs AND an EnableCorsAttribute on the controller   When we took out one or the other  we ran into other issues

User · Answer

I added  config EnableCors new EnableCorsAttribute Properties Settings Default Cors            as well as  app UseCors CorsOptions AllowAll    on the server  This results in two header entries  Just use the latter one and it works

User · Answer

This happens when you have Cors option configured at multiple locations  In my case I had it at the controller level as well as in the Startup Auth cs ConfigureAuth   My understanding is if you want it application wide then just configure it under Startup Auth cs ConfigureAuth like this   You will need reference to Microsoft Owin Cors  public void ConfigureAuth IAppBuilder app                      app UseCors CorsOptions AllowAll     If you rather keep it at the controller level then you may just insert at the Controller level    EnableCors  http   localhost 24589                  public class ProductsController   ApiController               ProductRepository  prodRepo

[asp.net-web-api] The 'Access-Control-Allow-Origin' header contains multiple values

Examples related to asp.net-web-api

Examples related to cors

Examples related to angularjs-http