Hi All,
I am getting “The ‘Access-Control-Allow-Origin’ header contains multiple values ‘*, *’, but only one is allowed.” type of error when requesting an API via ApiGee.
I have added an ApiGee policy of AssignMessage,
Add CORS
*true
and having PreFlow Response as,
add-cors
Am I missing anything? please help me out 
@Michael Malloy
@Gaurav Vishwas Joshi
@Dave Newman
@Barahalikar Siddharth
@Maruti Chand
@mukundha@apigee.com
@Hasan Otuome
@Scott Ganyo
@Mohsen Azimi
@all
Instead of using Add to set the Access-Control-Allow-Origin header, use Set. Since headers can support multiple values, Add will add one, rather than just setting the existing. Set will ensure that if there is already a header there you aren’t doubling it up.
Wow… Thank you so much, Carlos 
It started to work
Thank you @Carlos Eberhardt , I was just looking for same & came across this post.
This is not working for me. I’m experiencing the same issue where I get “*, *” in the CORS headers, like below. My policy is like this, using SET..
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
<DisplayName>Add CORS</DisplayName>
<FaultRules/>
<Properties/>
<Set>
<Headers>
<Header name="Access-Control-Allow-Origin">*</Header>
<Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept</Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
</Headers>
</Set>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>
Access-Control-Allow-Headers: origin, x-requested-with, accept
Access-Control-Allow-Methods: GET, PUT, POST, DELETE
Access-Control-Allow-Origin: *, *
Access-Control-Expose-Headers: X-Mashery-Error-Code, X-Mashery-Responder
Access-Control-Max-Age: 3628800
Actually this is odd.. I went as far as to add an assign message policy that REMOVEd all the CORS headers and then SET them, because I thought they might be coming in from the backend service.. It is still broken in Chrome, which reports it as “*, *”, but when I curl it I see below
Any Thoughs?
< HTTP/1.1 200 OK
< Date: Thu, 13 Oct 2016 20:09:52 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Mashery-Responder: prod-j-worker-atl-04.mashery.com
< X-Powered-By: PHP/5.5.9-1ubuntu4.14
< Cache-Control: max-age=5150
< Vary: Accept-Encoding
< Server: Mashery Proxy
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: origin, x-requested-with, accept
< Access-Control-Max-Age: 3628800
< Access-Control-Allow-Methods: GET, PUT, POST, DELETE
Now it gets stranger. Works in Firefox. So what is Chrome doing?
Weird. Try incognito mode, disable extensions, etc? Maybe something is messing with it.
hey guys, I implemented something like that and it served me correctly.
In the proxy enpoint we must place in the preflow the next call of a Flowcallout to invoke a sharedflow which will have the policy of CORS
Definition of flowcallout, where we invoke the sharedflow
definition of sharedflow
definition of the policy of raisefull, where we will indicate the headers of Access-Control-Allow-Origin with * that will allow the invocation from our browser
angular:
const httpOptions2= { headers:newHttpHeaders({ ‘Authorization’:‘Bearer token’ }) };
obtenerCatalogos():Observable { return this.httpClient.get(uriApigee+‘endpointapigee’,httpOptions2); }
Regars
hi Carlos Eberhardt / @venkatesh can you please give an example on what you meant by Instead of using Add to set the Access-Control-Allow-Origin header, use Set.
figured it out - blend and blindness
Tks Carlos! Working for me!