4

The following error throws for me when making a request:

Access to XMLHttpRequest at 'My Server URL' from origin 'Server Name' has been 
blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple
values 'Server Name, *', but only one is allowed.

However in my WebApiConfig.cs file I have defined the CORS policy as follows:

var cors = new EnableCorsAttribute("MyServerName", "Content-Type", "GET,PUT,POST,DELETE");
config.EnableCors(cors);

I have defined only one value MyServerName, yet the error thrown defines it as 'Server Name, *'

UPDATE:

When disabling my CORS definition in my WebApiConfig.cs file I recieve the following error when making a request:

Access to XMLHttpRequest at 'My Server URL' from origin 'Server Name' has been 
blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in
the response must not be the wildcard '*' when the request's credentials mode is
'include'. The credentials mode of requests initiated by the XMLHttpRequest is 
controlled by the withCredentials attribute.

I do not have CORS defined in my Web.config file.

UPDATE 2

My Access-Control-Allow-Origin value was being defined in my IIS, after changing it and running it, it thinks the value is ''.

TheGreatZab
  • 163
  • 1
  • 3
  • 18
  • 1
    You are setting the header in more than one place, apparently. Are you also setting it in your web.config? –  Jan 09 '20 at 17:07
  • 1
    If the header is set multiple times, your browser combines their values together. So here you are setting the header with `MyServerName`, and someplace else, you're setting the header with `*`. The browser is combining them together. You can observe the dupe headers in your browser's network tab. –  Jan 09 '20 at 17:10
  • @TheGreatZab could you post your web.config settings as well if you have any related to cors? – sam Jan 09 '20 at 17:38
  • I don't recall defining it in my Web.config file, I will go through it and make sure. UPDATE: I do not have it defined in my web.config however I tried commenting out my current definition and the error thrown is telling me there is a wildcard '*' defined somewhere. – TheGreatZab Jan 09 '20 at 17:39

1 Answers1

2

Summing up from The 'Access-Control-Allow-Origin' header contains multiple values there are multiple ways to add CORS and you possibly have more than one:

  1. The way you are doing it.
  2. By calling app.UseCors(CorsOptions.AllowAll);
  3. By adding it in web.config
<system.webServer>
  <httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
  </customHeaders>
</httpProtocol>
  1. And by using the Cors attribute.
  2. IIS or other configuration on the web server. Restart the app pool and it should work.
Athanasios Kataras
  • 25,191
  • 4
  • 32
  • 61
  • I do not have it defined in my web.config however I tried commenting out my current definition and the error thrown is telling me there is a wildcard '*' defined somewhere. – TheGreatZab Jan 09 '20 at 17:43
  • Do you have any filters? It might be added there. It might even be added by your web server. – Athanasios Kataras Jan 09 '20 at 17:45
  • No filters, I'm not sure how I would have it added in my web server. – TheGreatZab Jan 09 '20 at 18:09
  • @TheGreatZab Search your code for the word "origin", case insenstive search. It's there, somewhere. Don't just search .cs files, also search config files. –  Jan 09 '20 at 18:12
  • If it's iis, it might be in the website level configuration – Athanasios Kataras Jan 09 '20 at 18:12
  • It is IIS, I will look into it there, do you know where exactly I might find it on IIS? – TheGreatZab Jan 09 '20 at 18:21
  • Any web config. Possibly root of the application site https://enable-cors.org/server_iis7.html – Athanasios Kataras Jan 09 '20 at 18:26
  • So I found where it was defined and it did say '*' but when I changed it to the correct value I would get an error saying the value is '', so when I renabled it in my WebApiConfig.cs it would then say I have it defined twice :(. – TheGreatZab Jan 09 '20 at 18:52
  • If it is in iis, remove it from there and keep it only in the webapiconfig. You need to also restart app pool for the settings to take place for sure – Athanasios Kataras Jan 09 '20 at 18:55
  • This has resolved my issue thank you, please update your answer and I will accept it. – TheGreatZab Jan 09 '20 at 19:05