问题
So we have an http resource that serves up JSON. It adds an
Access-Control-Allow-Origin: *
flag. So this can be loaded with CORS... except (so I'm told) there's some IE9 quirk that means this still won't work in IE9, but it would work if this were an https resource.
So we set up an existing https proxy to include this resource. Only that https resource was ALSO adding the Access-Control-Allow-Origin: * header, so the response contains TWO such headers.
And this seems not to work at all. Experimentally it looks like if I remove the header from the "inner" http resource, the proxied version (now containing just the one header) does work. Just testing with jQuery CORS in Chrome, Firefox.
Is that right? So all I need to do is (have somebody) fix the https proxy to "set" the header and not of "add" it?
回答1:
The CORS spec explicitly states that:
If the response includes zero or more than one Access-Control-Allow-Origin header values, return fail and terminate this algorithm.
So you are correct, you should only have a single Access-Control-Allow-Origin header.
回答2:
If the duplicate headers have different values then they will be concatenated into one value. That, as monsur pointed out, will cause the header to be invalid, as stated in the spec.
Having a duplicate header with the same value might work with some clients (Chrome let's that pass, at least at the time of writing) but as the Mozilla Developer Network says:
A returned resource may have one Access-Control-Allow-Origin header...
So, one header to control them all.
来源:https://stackoverflow.com/questions/15682496/will-duplicate-access-control-allow-origin-headers-break-cors