CORS returning all, instead of just one

[jbenet]

I'm seeing the CORS:

> curl -I https://ipfs.io/ipns/ipfs.io
HTTP/1.1 200 OK
Server: nginx/1.9.3
Date: Sun, 06 Sep 2015 03:41:17 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: https://gateway.ipfs.io
Access-Control-Allow-Origin: https://ipfs.io
Access-Control-Allow-Origin: http://gateway.ipfs.io
Access-Control-Allow-Origin: http://ipfs.io
Access-Control-Allow-Origin: http://localhost
Access-Control-Allow-Origin: http://localhost:8080
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Origin: http://127.0.0.1:8080
Suborigin: ipfs.io
X-Ipfs-Path: /ipns/ipfs.io/
Strict-Transport-Security: max-age=15768000

On chrome i get

https://gateway.ipfs.io/ipfs/QmWCobpCNQy9SN19mcauGw4HR5p1KBcTvL6ousavdpJxqt/12/3790/2375.pbf. The 'Access-Control-Allow-Origin' header contains multiple values 'https://gateway.ipfs.io, https://ipfs.io, http://gateway.ipfs.io, http://ipfs.io, http://localhost, http://localhost:8080, http://127.0.0.1, http://127.0.0.1:8080', but only one is allowed. Origin 'https://ipfs.io' is therefore not allowed access.

See Also ipfs/infra#77

[lidel]

Same behaviour for Access-Control-Allow-Methods defined via:

ipfs config --json Gateway.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "GET", "POST", "OPTIONS"]'

produces:

> curl -X HEAD -I http://127.0.0.1:8080/ipfs/QmRqoVq1G9pL7hyLB2EGi5mndRTQv7tKfFXPRUsSbpHqfK
HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Headers: X-Stream-Output, X-Chunked-Output
Access-Control-Allow-Methods: PUT
Access-Control-Allow-Methods: GET
Access-Control-Allow-Methods: POST
Access-Control-Allow-Methods: OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Stream-Output, X-Chunked-Output
Cache-Control: public, max-age=29030400
Content-Length: 624
Content-Type: text/plain; charset=utf-8
Etag: QmRqoVq1G9pL7hyLB2EGi5mndRTQv7tKfFXPRUsSbpHqfK
Last-Modified: Thu, 01 Jan 1970 00:00:01 GMT
Suborigin: QmRqoVq1G9pL7hyLB2EGi5mndRTQv7tKfFXPRUsSbpHqfK
X-Ipfs-Path: /ipfs/QmRqoVq1G9pL7hyLB2EGi5mndRTQv7tKfFXPRUsSbpHqfK
Date: Fri, 15 Jan 2016 18:32:53 GMT

[eingenito]

Fixed. Closing.

[dt665m]

anyone notice a regression on this? I'm running 0.4.21 directly from releases and setting multiple Access-Control-Allow-Origin's in the gatway config causes multiple copies of the header being sent in http responses.

$ curl -X HEAD -I https://ipfs.aetheras.io/ipfs/Qmaisz6NMhDB51cCvNWa1GMS7LU1pAxdF4Ld6Ft9kZEP2a

HTTP/2 200 
accept-ranges: bytes
access-control-allow-headers: Content-Type
access-control-allow-headers: Range
access-control-allow-headers: User-Agent
access-control-allow-headers: X-Requested-With
access-control-allow-methods: GET
access-control-allow-origin: http://localhost:3000
access-control-allow-origin: https://*.aetheras.io
access-control-expose-headers: Content-Range
access-control-expose-headers: X-Chunked-Output
access-control-expose-headers: X-Stream-Output
cache-control: public, max-age=29030400, immutable
content-type: text/plain; charset=utf-8
date: Wed, 17 Jul 2019 12:40:36 GMT
etag: "Qmaisz6NMhDB51cCvNWa1GMS7LU1pAxdF4Ld6Ft9kZEP2a"
last-modified: Thu, 01 Jan 1970 00:00:01 GMT
suborigin: ipfs000bciqlp7qid32bcyffpnmrgvqymb3ol3whoqbdquzfxqnaqfvvxn3evwy
x-ipfs-path: /ipfs/Qmaisz6NMhDB51cCvNWa1GMS7LU1pAxdF4Ld6Ft9kZEP2a
content-length: 32

ipfs config:

  "Gateway": {
    "HTTPHeaders": {
      "Access-Control-Allow-Headers": [
        "X-Requested-With",
        "Range",
        "User-Agent"
      ],
      "Access-Control-Allow-Methods": [
        "GET"
      ],
      "Access-Control-Allow-Origin": [
        "http://localhost:3000",
        "https://*.aetheras.io"
      ]
    },
    "RootRedirect": "",
    "Writable": false,
    "PathPrefixes": [],
    "APICommands": [],
    "NoFetch": false
  },

I've reverted to the default "*" configuration for now to get things working.