Error in browser console on website that requests content from another website hosted on Plesk for Linux server: The ‘Access-Control-Allow-Origin’ header contains multiple values, but only one is allowed

Symptoms

• When a website requests content from another website that is hosted on a Plesk for Linux server, the following error is shown in the browser console (which can be opened using these instructions: 1, 2) when that first website is opened in the browser:

  Access to XMLHttpRequest at 'https://example.org/api/user/device-login' from origin 'https://example.com/some-url' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'https://example.org, *, *', but only one is allowed.

• nginx is installed, and the option Proxy mode in Domains > example.com > Hosting & DNS > Apache & nginx Settings is enabled.

Cause

The HTTP header Access-Control-Allow-Origin is duplicated.

Resolution

1. Log in to Plesk.

2. Check the following places for directive that adds the header Access-Control-Allow-Origin:

   • Both fields under Additional Apache directives in Domains > example.com > Hosting & DNS > Apache & nginx Settings.

   • The field Additional nginx directives in Domains > example.com > Hosting & DNS > Apache & nginx Settings.

   • The file .htaccess in the website content.

3. Remove the directives that add the header Access-Control-Allow-Origin from 2 of 3 of above places, leaving only one of them.