The 'Access-Control-Allow-Origin' header contains multiple values

People also ask

Does the Access-Control allow Origin header contains multiple values?

This can also happen of course if you've actually set your Access-Control-Allow-Origin header to have multiple values - For example, a comma separated list of values, which is kind of supported in the RFC but isn't actually supported by most major browsers.

How do I allow multiple domains in Access-Control allow origin?

Sounds like the recommended way to do it is to have your server read the Origin header from the client, compare that to the list of domains you would like to allow, and if it matches, echo the value of the Origin header back to the client as the Access-Control-Allow-Origin header in the response.

What should be the value of Access-Control allow origin?

Access-Control-Allow-Origin specifies either a single origin which tells browsers to allow that origin to access the resource; or else — for requests without credentials — the " * " wildcard tells browsers to allow any origin to access the resource.

I added

config.EnableCors(new EnableCorsAttribute(Properties.Settings.Default.Cors, "", ""))

as well as

app.UseCors(CorsOptions.AllowAll);

on the server. This results in two header entries. Just use the latter one and it works.

We ran into this problem because we had set up CORS according to best practice (e.g. http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api) AND ALSO had a custom header <add name="Access-Control-Allow-Origin" value="*"/> in web.config.

Remove the web.config entry, and all is well.

Contrary to @mww's answer, we still have EnableCors() in the WebApiConfig.cs AND an EnableCorsAttribute on the controller. When we took out one or the other, we ran into other issues.

I'm using Cors 5.1.0.0, after much headache, I discovered the issue to be duplicated Access-Control-Allow-Origin & Access-Control-Allow-Header headers from the server

Removed config.EnableCors() from the WebApiConfig.cs file and just set the [EnableCors("*","*","*")] attribute on the Controller class

Check this article for more detail.

Add to Register WebApiConfig

var cors = new EnableCorsAttribute("*", "*", "*");
config.EnableCors(cors);

Or web.config

<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>  
</httpProtocol>

BUT NOT BOTH

Related questions
                            
                                How do I return NotFound() IHttpActionResult with an error message or exception?
                            
                                Get the current user, within an ApiController action, without passing the userID as a parameter
                            
                                How to force ASP.NET Web API to always return JSON?
                            
                                How to update a claim in ASP.NET Identity?
                            
                                Error :Request header field Content-Type is not allowed by Access-Control-Allow-Headers
                            
                                How to return a file using Web API?
                            
                                Handle ModelState Validation in ASP.NET Web API
                            
                                Entity framework self referencing loop detected [duplicate]
                            
                                Working POST Multipart Request with Volley and without HttpEntity
                            
                                Need to log asp.net webapi 2 request and response body to a database
                            
                                Web API 2: how to return JSON with camelCased property names, on objects and their sub-objects
                            
                                Why should I create async WebAPI operations instead of sync ones?
                            
                                So, JSONP or CORS? [closed]
                            
                                Dot character '.' in MVC Web API 2 for request such as api/people/STAFF.45287
                            
                                Custom method names in ASP.NET Web API
                            
                                Make sure that the controller has a parameterless public constructor error
                            
                                'System.Net.Http.HttpContent' does not contain a definition for 'ReadAsAsync' and no extension method
                            
                                Failed to serialize the response in Web API with Json
                            
                                Can I incorporate both SignalR and a RESTful API?
                            
                                Redirect from asp.net web api post action

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

The 'Access-Control-Allow-Origin' header contains multiple values

Tags:

cors

asp.net-web-api

angularjs-http

People also ask

Recent Activity

Donate For Us