The 'Access-Control-Allow-Origin' header contains multiple values (Indirect Application Server Conflict)

[aditya-vector]

Hi there,

Firstly, thanks for the beautiful chunk of code. The gem is a boon!

Following is the issue that I came across while using Rack Cors (version: 1.0.2).

Background:

Rails 5 + Rack Cors + Nginx + Google Chrome (Version 65.0)

Issue:

When the Access-Control-Allow-Origin header is set by both Rack Cors and Nginx, it results in the application sending multiple Access-Control-Allow-Origin headers in the response.

Details:

The error,

Failed to load https://myurl: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed. Origin 'http://myurl' is therefore not allowed access.

Response Headers:

It can clearly be seen that multiple headers for Access-Control-Allow-Origin are being sent in response. And I think chrome will just merge the headers resulting in violation error mentioned above.

While I agree that we should not be setting multiple headers of the same type but its just the separation of providing softwares (Rails + Rack Cors and Nginx) which is causing the issue.

PS: I also think this might be something which can not be handled on Rack Cors gem since the web server (in this case Nginx) sits at the next step in response flow and there might not be a way to modify it's behavior from Rack Cors side.

I am just mentioning this issue so that if people come across similar stuff they might get a hang of root cause. Also, if there is a way to handle this, it'd be awesome.

[geori]

I had the same exact problem with Apache and a Sinatra app.

The problem happened because we were running an old version of Apache that we couldn't reliably tell it to only add the header if it doesn't exist. We fixed it by updating Apache