Search code examples
asp.net-web-apicorsweb-configiis-8

CORS policy issue just started with no code changes - "CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values"

Hello all I'm having a weird CORS policy issue... I was wondering if anyone has seen anything like this and how I should address the issue???

Here's the CORS issue were getting:

Access to XMLHttpRequest at 'https://myservice.dev.mycompany.com/api/SSO/SSOProfile' from origin 'https://myapp.dev.mycompany.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'https://myapp.dev.mycompany.com, https://myapp.dev.mycompany.com', but only one is allowed.

The multiple (duplicate) values in the response header in Chrome dev tools are: 

Access-Control-Allow-Credentials: true
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://myapp.dev.mycompany.com
Access-Control-Allow-Origin: https://myapp.dev.mycompany.com

The origins we enabled for our cors attribute are https://myotherapp.dev.mycompany.com,https://myapp.dev.mycompany.com The "myotherapp" isn't relevant in this case, as we are just trying to log in, and the "myotherapp" is for a less used function.

Here's what's weird:

  • No code was deployed between the time it last worked and the time it broke.
  • It's only happening in our dev environment. Same code base is running fine locally, and in test, stage, and prod.
  • I even tried re-deploying, restarting the app pool, and bouncing both (load balanced) dev servers.
  • I don't know of any network changes, server patches, or IIS changes on the dev boxes.

The circumstances lead me to believe it's not code related, but environmental -- IIS, load balancer, or network related. I mostly code, so I'm having difficulty tracking this down. I've been over it with a few infrastructure team members but we still haven't figured it out.

Any ideas?? Thanks!

Here's the WebApiConfig class, and we don't have the CORS custom headers defined in the config, just the origins as app settings (see code below). Like I said this error popped up without any new code deployments.

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        // Web API configuration and services
        /*
         *  from web.Dev.config
         *  <add key="corsAttribute" value="https://myotherapp.dev.mycompany.com,https://myapp.dev.mycompany.com" xdt:Transform="SetAttributes" xdt:Locator="Match(key)"/>
         */
        var cors = new EnableCorsAttribute(ConfigurationManager.AppSettings["corsAttribute"], "*", "*");
        cors.SupportsCredentials = true;
        config.EnableCors(cors);
        // Web API routes
        config.MapHttpAttributeRoutes();
        config.Routes.MapHttpRoute(
            name: "DefaultApi",
            routeTemplate: "api/{controller}/{id}",
            defaults: new { id = RouteParameter.Optional }
        );
        config.Formatters.JsonFormatter.SerializerSettings.DateTimeZoneHandling = DateTimeZoneHandling.Unspecified;
        }
    }
Solution

  • Found it; fixed it! I hope this can help someone in the future...

    On the F5 load balancer, someone added dev.mycompany.com to the same VIP as myapp.dev.mycompany.com.  And when they did that, they also added an irule to account for the allow origin, but our apps do that in the code/config, so there were multiples.  They dropped the rule and are going to give dev.mycompany.com it's own VIP.  Made for a long couple of days!!