Question: Error in browser console on website that requests content from another website hosted on Plesk for Linux server: The 'Access-Control-Allow-Origin' header contains multiple values, but only one is allowed
Applicable to:Symptoms- When a website requests content from another website that is hosted on a Plesk for Linux server, the following error is shown in the browser console (which can be opened using these instructions: 1, 2) when that first website is opened in the browser:
Access to XMLHttpRequest at 'https://example.org/api/user/device-login' from origin 'https://example.com/some-url' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'https://example.org, *, *', but only one is allowed.- nginx is installed, and the option Proxy mode in Domains > example.com > Hosting & DNS > Apache & nginx Settings is enabled.
CauseThe HTTP header Access-Control-Allow-Origin is duplicated.
Resolution1.Log in to Plesk.
2.Check the following places for directive that adds the header Access-Control-Allow-Origin:
- Both fields under Additional Apache directives in Domains > example.com > Hosting & DNS > Apache & nginx Settings.
- The field Additional nginx directives in Domains > example.com > Hosting & DNS > Apache & nginx Settings.
- The file .htaccess in the website content.
3.Remove the directives that add the header Access-Control-Allow-Origin from 2 of 3 of above places, leaving only one of them.