s4nchez
12/06/2018, 11:42 AMxuemin.guan
12/06/2018, 2:37 PMJohn Norris
12/06/2018, 4:19 PMJohn Norris
12/06/2018, 4:19 PMAccess to fetch at '<http://localhost:8001/api/v2/permissions>' from origin '<https://www.dev.flexi.uk>' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '<https://www.google.com>, <https://www.bbc.co.uk>', but only one is allowed. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
The response headers from this request:
access-control-allow-headers: content-type
access-control-allow-methods: POST, OPTIONS
access-control-allow-origin: <https://www.google.com>, <https://www.bbc.co.uk>
John Norris
12/06/2018, 4:21 PM"Access-Control-Allow-Origin" ":" origin-list-or-null | "*"
, which seems to match the http4k implementationJohn Norris
12/06/2018, 4:21 PMJohn Norris
12/06/2018, 4:21 PMIn practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".
s4nchez
12/06/2018, 4:23 PMOrigin
header coming from the client and return a single allowed origin, if that's in the list.s4nchez
12/06/2018, 4:25 PMJohn Norris
12/06/2018, 4:40 PMs4nchez
12/06/2018, 4:43 PMJohn Norris
12/07/2018, 1:31 PMs4nchez
12/07/2018, 1:34 PMJohn Norris
12/07/2018, 1:44 PMs4nchez
12/07/2018, 1:45 PMJohn Norris
12/07/2018, 1:49 PMs4nchez
12/07/2018, 1:58 PMJohn Norris
12/07/2018, 2:00 PMs4nchez
12/07/2018, 2:06 PMdave
12/07/2018, 2:29 PM