CORS issue with api domain versus local domain

Question

I'm having the following CORS issue:

With Grunt I emulate my local environment development-mydomain.com.br:9000. It tries to access a remote API with the name api-test.mydomain.com.br. I have CORS issue with this.

XMLHttpRequest cannot load http://api-test.mydomain.com.br/auth.php. The 'Access-Control-Allow-Origin' header has a value 'http://test.mydomain.com.br' that is not equal to the supplied origin. Origin 'http://development-mydomain.com.br:9000' is therefore not allowed access.

I also have a test enviroment http://test.mydomain.com.br which then works fine. Why is the header http://test.mydomain.com.br and not http://api-test.mydomain.com.br ?

Here is the cors.php file in my domain http://api-test.mydomain.com.br :

<?
    header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
    header("Access-Control-Allow-Origin: http://test.mydomain.com.br");
    header("Access-Control-Allow-Origin: http://development-mydomain.com.br:9000");
    header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Allow-Methods: POST, GET, DELETE');
?>

UPDATE: got it working via https://stackoverflow.com/a/7454204/1147504

Answer 1

header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header("Access-Control-Allow-Origin: http://test.mydomain.com.br");
header("Access-Control-Allow-Origin: http://development-mydomain.com.br:9000");

Don't set the header multiple times. Set it once, to the value you actually want.