search

corydolphin / flask-cors

Cross Origin Resource Sharing ( CORS ) support for Flask
https://flask-cors.readthedocs.io/en/latest/index.html
MIT License
884 stars 138 forks source link

same domain added twice #215

Closed wahello closed 6 years ago

wahello commented 6 years ago

I use Nginx for reverse web proxy, and the configuration for api as following:

location /api/ {
            set $cors '';
            if ($http_origin ~ '^http?://(localhost|zz56\.s1\.natapp\.cc|logierp\.zz56\.s1\.natapp\.cc)') {
                    set $cors 'true';
            }

            if ($cors = 'true') {

                    #add_header Access-Control-Allow-Origin "$http_origin" ;
                    #add_header 'Access-Control-Allow-Origin' '*' always;
                    add_header 'Access-Control-Allow-Credentials' 'true' always;
                    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
                    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
                    # required to be able to read Authorization header in frontend
                    #add_header 'Access-Control-Expose-Headers' 'Authorization' always;
            }

            if ($request_method = 'OPTIONS') {
                    add_header Access-Control-Allow-Origin "$http_origin";
                    #add_header 'Access-Control-Allow-Origin' '*';
                    #add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE, HEAD';
                    #add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
                    add_header 'Access-Control-Max-Age' 1728000;
                    add_header 'Content-Type' 'text/plain charset=UTF-8';
                    add_header 'Content-Length' 0;
                    #return 204;
            }
     }

and browser console error is following: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'http://logierp.zz56.s1.natapp.cc, http://logierp.zz56.s1.natapp.cc', but only one is allowed. Origin 'http://logierp.zz56.s1.natapp.cc' is therefore not allowed access.

It seems that Access-Control-Allow-Origin add the same origin twice.

Any Idea to fix it? Help!!!!!

jacopofar commented 6 years ago

@keyeMyria nginx does that automatically when the same header is defined twice, in your case probably the two conditions are both true. Make the condition stricter so they don't overlap, but this is not a flask-cors issue