Duplicate Access-Control-Allow-Origin header in api.fediverse.observer response
I’m trying out sending a request to api.fediverse.observer from a web page:
fetch("https://api.fediverse.observer/", {
method: "POST",
headers: {"Content-Type": "application/x-www-form-urlencoded"},
body: "query=" + encodeURIComponent('{nodes(status:"WHATEVER""){domain}}')
});
In Chrome this results in the following error message:
Access to fetch at 'https://api.fediverse.observer/' from origin 'https://example.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
There are in fact two Access-Control-Allow-Origin
response headers. I cannot see the second header being added in the code, so I have to assume that the culprit is the server configuration.