Duplicate CORS header

[friedrich]

OpenVSX is responding with multiple Access-Control-Allow-Origin headers, which is not compliant with the CORS (Cross-Origin Resource Sharing) policy as browsers expect a single Access-Control-Allow-Origin header.

Here is an example request:

curl -H 'Origin: http://localhost/' -v 'localhost:8080/vscode/asset/GitHub/vscode-pull-request-github/0.80.1/Microsoft.VisualStudio.Code.Manifest?targetPlatform=universal'
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /vscode/asset/GitHub/vscode-pull-request-github/0.80.1/Microsoft.VisualStudio.Code.Manifest?targetPlatform=universal HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.81.0
> Accept: */*
> Origin: http://localhost/
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Access-Control-Allow-Origin: *
< Server: nginx
< Date: Mon, 26 Feb 2024 13:18:12 GMT
< Connection: keep-alive
< Keep-Alive: timeout=50
< x-rate-limit-remaining: 14
< vary: Origin
< vary: Access-Control-Request-Method
< vary: Access-Control-Request-Headers
< x-content-type-options: nosniff
< x-xss-protection: 0
< strict-transport-security: max-age=31536000 ; includeSubDomains
< x-frame-options: DENY
< Access-control-allow-origin: *
< Cache-Control: max-age=600, public
< Location: https://openvsxorg.blob.core.windows.net/resources/GitHub/vscode-pull-request-github/0.80.1/package.json
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

This results in Visual Studio Code rejecting the connection. Firefox displays the following, after rejecting the Request:

CORS header 'Access-Control-Allow-Origin' does not match '*, *'

[friedrich]