CORS multiple values in response header


Rasa version: 1.1.5

I am currently putting together a simple chat system running on an Express Node.js server, that is connected to a Rasa Server through the Socket.IO channel.

Everything works wonderfully until I package the whole thing into Docker Containers with Docker Compose.

I have enabled CORS on the Rasa Server with the RUN command as follows:

command: run --enable-api --cors * --debug


Access to XMLHttpRequest from origin has been blocked by CORS policy: The ‘Access-Control-Allow-Origin’ header contains multiple values, but only one is allowed.

Network log

The header clearly has two of the same IP address as the allowed origin in the response header.

Attempted solutions that did NOT work:

  • whitelist just the Node.js server’s IP address
  • tried the cors package for Express
  • tried the orgins method in the Socket.IO server API
  • changed all IP’s to localhost
  • Suggested command from JiteshGaikwad: rasa run -m models --enable-api --cors “*” --debug

Where does Access-Control-Allow-Origin actually get created?


Added JiteshGaikwad’s suggested solution to the ‘Did not work’ list and some minor formating.

1 Like

hey @daypack, I think so the issue lies in the rasa command, please try the command below and check

rasa run -m models --enable-api --cors “*” --debug

Hi @JiteshGaikwad

Thanks for the reply, but I doubt the suggested command would work because it is basically the same command that I am already using.

models is already the default value for the server configuration option –model (-m) as specified in the Rasa Open Source edition documentation (Command Line Interface: Start a Server). I have not changed the default file structure, so I don’t see how using the same value as the option’s default value will make a difference.

The quotation marks wrapping the wildcard character (*) value for the CORS option is also not necassary because the shell only needs quotes when the value has spaces (i.e. foobar vs “foo bar”) (Stack Overflow: Python argparse argument with quotes). Having quotes would also mean the model value would have to be wrapped: “models”.

I will give the suggested command a try anyway and post the results. You never know.

@JiteshGaikwad the suggested command didn’t work. Still got the same error as before.

I curious why the allowed origin IP address is being duplicated in the Access-Control-Allow-Origin response header and shouldn’t it actually be a wildcard instead of an IP address? :thinking:

Am I missing something?

1 Like

@daypack thanks for reporting this issue. this seems to be a bug related to the combination in python-socketio in combination with sanic. I’ve filed this as a bug on github. We’ll be looking into this!


Any developments on this? I still am facing trouble with the above mentioned issue.

Hi @lohith.arcot, yes this should be fixed. Please upgrade to rasa X 0.22.0 and rasa 1.4.0

1 Like