Multiple CORS header in response

Description

I use geoserver to publish WMS layers that will be consumed by a web app through OpenLayer v6.

I enabled the CORS by uncommenting the corresponding `<filter>` and `<filter-mapping>` balises of the `web.xml`.

First I loaded the WMS using the basic tileLoader of openLayer which consists of passing the WMS request URL to the `src` property of an `<img>` element. So far everything worked.
Then I wanted the loader to be costumized and I used xhr to make the request myself. I notice that when the request header Origin is set (in my case to http://localhost:8080) then the response of geoserver contains CORS headers twice and in particular the Access-Control-Allow-Origin header which is not allowed by CORS policy and so the request failed.

Here is an exemple of an http request that will have a response with the CORS headers twice :

Environment

Docker image kartoza/geoserver:2.15.2 on Centos7 host.

Assignee

Unassigned

Reporter

Pierre Noll

Triage

None

Fix versions

None

Affects versions

Components

Priority

High
Configure