Multiple 'Access-Control-Allow-Origin' headers preventing data viewing in Hub

2769
2
Jump to solution
04-30-2018 07:32 AM
GregYoung2
New Contributor III

My organization is currently exploring ArcGIS Hub.  We have a number of AGS map services which we are trying to view through Hub.  We are getting this error in the Data tab:

I have determined that this is a direct result of a browser CORS error (multiple 'Access-Control-Allow-Origin' headers).  Here is the error (Urls are not real):

"Failed to load https://org.com/arcgis/rest/info?f=json: The 'Access-Control-Allow-Origin' header contains multiple values 'https://opendata-org.opendata.arcgis.com, *', but only one is allowed. Origin 'https://opendata-org.opendata.arcgis.com' is therefore not allowed access." 

When I strip the extra header using a Fiddler script, the problem goes away.  I have encountered this error before using the JavaScript API and usually it has no impact.  It seems that Hub requires the results of the 'https://org.com/arcgis/rest/info?f=json' query to function properly.  Is there a way to add trusted servers to the Hub site configuration to avoid CORS errors?

Tags (3)
1 Solution

Accepted Solutions
GregYoung2
New Contributor III

We got this one sorted out.  Somewhere on the web server there was a Web.config file that was adding the "*".  I couldn't see it due to our corporate policies but the relevant portion of the configuration file would look something like this:

<system.webServer>    <httpProtocol>      <customHeaders>        <add name="Access-Control-Allow-Origin" value="*" />      </customHeaders>    </httpProtocol>  </system.webServer>

Check your web server configuration to see where this header is being added.

View solution in original post

0 Kudos
2 Replies
ER_Michigan
New Contributor III

Sorry, don't have an answer, but we're getting the same error with AGO layers. This only recently started up though.

0 Kudos
GregYoung2
New Contributor III

We got this one sorted out.  Somewhere on the web server there was a Web.config file that was adding the "*".  I couldn't see it due to our corporate policies but the relevant portion of the configuration file would look something like this:

<system.webServer>    <httpProtocol>      <customHeaders>        <add name="Access-Control-Allow-Origin" value="*" />      </customHeaders>    </httpProtocol>  </system.webServer>

Check your web server configuration to see where this header is being added.

0 Kudos