Duplicate headers in response

[aeirola]

I've noticed that it is possible for the filter to return responses with multipleAccess-Control-Allow-Origin headers, if the original response already happens to contain some CORS headers. Browsers don't like these kind of responses, with Chrome complaining as following:

The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed. Origin 'http://localhost:8000' is therefore not allowed access. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

While I understand that there should only be on source of CORS headers for a single response, it is quite easy to bump in to the issue if enriching resources from other CORS-enabled services. Then the CORS headers from both services will be appended to the response.

I guess the simple solution would be to check if the response already contains CORS headers, and then either leave them be, or overwrite them with new values. Adding multiple CORS headers doesn't seem to be good behaviour.

[aeirola]

As for the CORS specification, it is stated under 7.2 Resource Sharing Check that the response should be considered invalid if it contains more than one Access-Control-Allow-Origin header.

[monarchwadia]

I also ran into this issue. I fixed it by changing the <url-pattern> to match only those routes which did not add CORS headers to their responses beforehand. This was easy in my case, but might not be very easy in other cases.