esm.sh responds with duplicate "Access-Control-Allow-Origin: *" headers following redirects

[ggoodman]

Description

When attempting to integrate esm.sh on https://plnkr.co/edit/, I noticed that .css files being loaded by the plnkr/runtime runtime were failing with CORS errors such as this:

Access to script at 'https://cdn.esm.sh/@ag-grid-community/[email protected]/dist/styles/ag-grid.css'
(redirected from 'https://esm.sh/@ag-grid-community/core@%5E27.1.0/dist/styles/ag-grid.css')
from origin 'https://run.plnkr.co' has been blocked by CORS policy:
    The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

What seems to be happening is:

1. A first request to https://esm.sh/@ag-grid-community/core@%5E27.1.0/dist/styles/ag-grid.css is coming back with a 307 pointing to https://cdn.esm.sh/@ag-grid-community/[email protected]/dist/styles/ag-grid.css.
2. The fetch seems to follow this redirect and sends a request with origin: null (not sure if this is per spec or what) for the canonical url.
3. esm.sh responds with two access-control-allow-origin: * headers causing Chrome to complain with the noted error.

I took a quick look at the CORS middleware but nothing popped out as obvious. Is it possible that something in CloudFlare might be duplicating this header?

Reproduction

Observe that the following produces duplicate access-control-allow-origin: * headers.

curl --head -X HEAD -H "origin: null" "https://cdn.esm.sh/@ag-grid-community/[email protected]/dist/styles/ag-grid.css"

[ije]

thanks for the details, i will look into it!

[ije]

i believe this has been fixed