0

I am having a cross domain problem connecting from localhost to a remote server at Nodejitsu via Socket.io. I get an error "...header contains multiple values 'http://evil.com/, *', but only one is allowed". More details below:

I have an Express/Mongoose/Socket.io app running at Nodejistu serving as a REST API, it serves no HTML files.

Locally I have an Angularjs+Requirejs app (running at http://localhost:8000) trying to connect to the remote API and I can't get access. While I can test the API methods with POSTMAN and am able to read the socket.io script frontend from the Angular RequireJS app, the connection is not granted access and cause server crash looping.

In my NodeJS/Express app on Nodejitsu, I have set the following:

var express    = require('express');
var app        = express();
var bodyParser = require('body-parser');
var morgan     = require('morgan');
var port       = process.env.PORT || 80; // set our port the same as Nodejitsu

// ATTACHING SOCKET.IO
var server = require('http').createServer(app);
var io = require('socket.io')(server);
app.set('socketio', io); // socket instance of the app
app.set('server', server);

// CONFIGURE BODY PARSER
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());

//CORS SETTING
app.use(function(req, res, next) {
    res.header("Access-Control-Allow-Origin", "http://localhost:8000");
    res.header("Access-Control-Allow-Methods", "GET,PUT,POST,DELETE,OPTIONS");
    res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
    res.header("Access-Control-Allow-Credentials", "false");
    next();
});

// START SERVER
app.get('server').listen(port);

---------
// package.json

"dependencies": {
    "express": "4.11.1",
    "morgan": "1.5.1",
    "mongoose": "3.8.21",
    "body-parser": "1.10.2",
    "grunt-release": "0.10.0",
    "socket.io": "1.3.2"
},

In the Angular app on localhost:8000, I checked that Header is not duplicated, as the attached png shows.

// main.js

"use strict";

require.config({

    paths: {

        ...

        'socketio': 'http://<MYAPP>.jit.su/socket.io/socket.io';,

        ...

// SocketFactory.js

var socket = io.connect('http://<MYAPP>.jit.su:80/api/boards');

However I get this error message, even when I set Origin to be localhost://8000:

XMLHttpRequest cannot load http://<MYAPP>.jit.su/socket.io/?EIO=3&transport=polling&t=1423052553506-7. 
The 'Access-Control-Allow-Origin' header contains multiple values
'http://evil.com/, *', but only one is allowed. 
Origin 'http://localhost:8000'; is therefore not allowed access.

Chrome developer header response

Roman B
  • 180
  • 1
  • 8
  • 1
    Sounds like a similar question/answer: http://stackoverflow.com/questions/22343384/the-access-control-allow-origin-header-contains-multiple-values and http://stackoverflow.com/questions/27351688/localhost-is-therefore-not-allowed-access. It sounds like this error occurs when some CORS-related header is duplicated. You should carefully examine the headers on the request and response to see if any are duplicated. – jfriend00 Feb 04 '15 at 16:59
  • You can read many similar questions/answers [here](https://www.google.com/search?q=header+contains+multiple+values+%27http%3A%2F%2Fevil.com%2F%2C+*%27%2C+but+only+one+is+allowed&rlz=1C1TSNP_enUS471US471&oq=header+contains+multiple+values+%27http%3A%2F%2Fevil.com%2F%2C+*%27%2C+but+only+one+is+allowed&aqs=chrome..69i57.3155j0j7&sourceid=chrome&es_sm=93&ie=UTF-8#q=header+contains+multiple+values+but+only+one+is+allowed). – jfriend00 Feb 04 '15 at 17:03
  • Hi, thanks for your response @jfriend00! I updated my question with more specifics on my issue. I can't see the Access-Control-Allow-Origin being duplicated, but I set it up in Express to be specific to Localhost:8000. However, in Chrome it shows up as evil.com. – Roman B Feb 05 '15 at 11:25

1 Answers1

0

I got the same error, but it wasn't even a CORS issue in the end. When using socket.io with express, listen on the server, not the app, as stated in socket.io's docs.

var app = require('express')();
var server = require('http').Server(app);
var io = require('socket.io')(server);

server.listen(80);

(...)
M165437
  • 897
  • 1
  • 10
  • 18