Header contains multiple values

[david-poindexter]

I am seeing the following now when using crossorigin.me.

XMLHttpRequest cannot load https://crossorigin.me/http://mydomain/api. The 'Access-Control-Allow-Origin' header contains multiple values '*, https://creator.ionic.io', but only one is allowed. Origin 'https://creator.ionic.io' is therefore not allowed access.

Did something change regarding the header? It was working fine before and I have confirmed nothing has changed on the Ionic Creator side of things.

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/40115687-header-contains-multiple-values?utm_campaign=plugin&utm_content=tracker%2F12536595&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F12536595&utm_medium=issues&utm_source=github).

[tjvr]

Please can we see the full HTTP request/response? Thanks. :)

[david-poindexter]

Sure thing...here is one example:

`
General
Request URL:https://crossorigin.me//http://www.concorddowntown.com/DesktopModules/DnnSharp/DnnApiEndpoint/Api.ashx?method=CDDCNews
Request Method:GET
Status Code:522
Remote Address:104.31.64.208:443

Response Headers
cache-control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
cf-ray:3154e8e72ff156d5-IAD
content-type:text/html; charset=UTF-8
date:Thu, 22 Dec 2016 16:22:27 GMT
expires:Thu, 01 Jan 1970 00:00:01 GMT
pragma:no-cache
server:cloudflare-nginx
set-cookie:__cfduid=da784d2a47db1ccd06d859a1a34c456111482423716; expires=Fri, 22-Dec-17 16:21:56 GMT; path=/; domain=.crossorigin.me; HttpOnly
status:522
x-frame-options:SAMEORIGIN

Request Headers
:authority:crossorigin.me
:method:GET
:path://http://www.concorddowntown.com/DesktopModules/DnnSharp/DnnApiEndpoint/Api.ashx?method=CDDCNews
:scheme:https
accept:application/json, text/plain, /
accept-encoding:gzip, deflate, sdch, br
accept-language:en-US,en;q=0.8
cache-control:no-cache
origin:https://creator.ionic.io
pragma:no-cache
referer:https://creator.ionic.io/app/designer/6db8c36f61ad
user-agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Query String Parameters
view source
view URL encoded
method:CDDCNews
`

[ihac]

I was stuck in this issue too.

[maackle]

I'm having this issue too. Example request from localhost:8000 -

GET https://crossorigin.me/http://apiv3.iucnredlist.org/api/v3/species/gorilla+gorilla

(note the duplicate access-control-allow-origin entries in the response headers)