When fetching a resource from a server with Firefox, I get this error message:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘*, *’
What does '*, *' mean? Where did this value come from? I use that value nowhere! My .htaccess file contains the following, which I believe should be sufficient to allow all origins:
Header set Access-Control-Allow-Origin "*"
The most simple explanation is that the response received by the browser contains two Access-Control-Allow-Origin headers:
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
As part of the CORS check, the browser effectively joins the values of multiple Access-Control-Allow-Origin headers into one using the character sequence , as separator. In your specific case, it's as if your browser received a response containing the following header:
Access-Control-Allow-Origin: *, *
However, a value of *, * never denotes all origins; only the wildcard, composed of a single * character, can ever denote all origins.
You need to find out why the response contains multiple Access-Control-Allow-Origin headers and make sure it contains at most one. Most likely, your CORS middleware is adding one, and your Web server or some reverse proxy is adding another.