The 'Access-Control-Allow-Origin' header contains multiple values 'https://mysite.com/path, *', but only one is allowed.

[ipolegbunin]

Could you please add removal of original "Access-Control-Allow-Origin" header before adding "Access-Control-Allow-Origin: *".

Without that fix I have the following error:

XMLHttpRequest cannot load https://externaldomain.com. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://localhost.localdomain:8080' is therefore not allowed access.

XMLHttpRequest cannot load https://externaldomain.com/path. The 'Access-Control-Allow-Origin' header contains multiple values 'https://localhost.localdomain, *', but only one is allowed. Origin 'http://localhost.localdomain:8080' is therefore not allowed access.

[kadkaz]

The same problem. using Access-Control-Expose-Headers as
{code}
Access-Control-Allow-Origin: http://my.origin.url
{code}
does not help.

Please use instead of * the origin then it will work anyway with credentials or without.

[blukis]

Same problem here. Doing some digging, looks like bug #7 was reintroduced in v1.0.3. Headers are comparing case-sensitively, and so duplicating the Access-Control-Allow-Origin http header when case doesn't match. :(

[leitwolf]

Use this plugin: Access-Control-Allow-Credentials: true instead:
https://chrome.google.com/webstore/detail/access-control-allow-cred/hmcjjmkppmkpobeokkhgkecjlaobjldi
you must re-enable it when start chrome everytime.