I use geoserver to publish WMS layers that will be consumed by a web app through OpenLayer v6.
I enabled the CORS by uncommenting the corresponding `<filter>` and `<filter-mapping>` balises of the `web.xml`.
First I loaded the WMS using the basic tileLoader of openLayer which consists of passing the WMS request URL to the `src` property of an `<img>` element. So far everything worked.
Then I wanted the loader to be costumized and I used xhr to make the request myself. I notice that when the request header Origin is set (in my case to http://localhost:8080) then the response of geoserver contains CORS headers twice and in particular the Access-Control-Allow-Origin header which is not allowed by CORS policy and so the request failed.
Here is an exemple of an http request that will have a response with the CORS headers twice :