Multiple Access-Control-Allow-Credentials response headers

[l3ender]

Branch/Environment/Version

• Branch/Version: latest in docker as of 2019-10-23
  • gateway: 2.9.1
  • dashboard: 1.9.1
• Environment: on-prem

Describe the bug
When configuring "Allow credentials" in CORS support on an API, multiple Access-Control-Allow-Credentials can be returned if the upstream API adds the header to the response.

Browsers do not support multiple of this header; Chrome logs the following in console:

Access to XMLHttpRequest at 'http://www.tyk-test.com:8080/testapi' from origin 'http://localhost:4200' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header in the response is 'true, true' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Reproduction steps

1. Create an API pointing to upstream http://httpbin.org/ server.
2. Configure CORS on the API and enable "Allow credentials".
3. Test the API with Postman and set Origin header on request.

Actual behavior
Multiple Access-Control-Allow-Credentials headers are returned in the response.

Expected behavior
Only a single Access-Control-Allow-Credentials header should be returned.

Screenshots/Video

Configuration (tyk config file):
API CORS config:

    "CORS": {
      "enable": true,
      "max_age": 600,
      "allow_credentials": true,
      "exposed_headers": [],
      "allowed_headers": [],
      "options_passthrough": false,
      "debug": false,
      "allowed_origins": [],
      "allowed_methods": [
        "GET"
      ]
    },

Additional context
This is closely related to #2199. I believe it'd be worth the effort to review all CORS headers to avoid other similar issues.

[maciejwojciechowski]

verified