esm.sh
esm.sh copied to clipboard
esm.sh responds with duplicate "Access-Control-Allow-Origin: *" headers following redirects
Description
When attempting to integrate esm.sh on https://plnkr.co/edit/, I noticed that .css
files being loaded by the plnkr/runtime runtime were failing with CORS errors such as this:
Access to script at 'https://cdn.esm.sh/@ag-grid-community/[email protected]/dist/styles/ag-grid.css'
(redirected from 'https://esm.sh/@ag-grid-community/core@%5E27.1.0/dist/styles/ag-grid.css')
from origin 'https://run.plnkr.co' has been blocked by CORS policy:
The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.
What seems to be happening is:
- A first request to
https://esm.sh/@ag-grid-community/core@%5E27.1.0/dist/styles/ag-grid.css
is coming back with a307
pointing tohttps://cdn.esm.sh/@ag-grid-community/[email protected]/dist/styles/ag-grid.css
. - The
fetch
seems to follow this redirect and sends a request withorigin: null
(not sure if this is per spec or what) for the canonical url. -
esm.sh
responds with twoaccess-control-allow-origin: *
headers causing Chrome to complain with the noted error.
I took a quick look at the CORS middleware but nothing popped out as obvious. Is it possible that something in CloudFlare might be duplicating this header?
Reproduction
Observe that the following produces duplicate access-control-allow-origin: *
headers.
curl --head -X HEAD -H "origin: null" "https://cdn.esm.sh/@ag-grid-community/[email protected]/dist/styles/ag-grid.css"
thanks for the details, i will look into it!
i believe this has been fixed