Multiple "access-control-allow-origin" in API response, is it a bug?

I’m currently developping a custom dashboard to trigger some bitrise builds but the endpoint to trigger build send me a response with 2 “access-control-allow-origin”, that is not allowed by majority of browser

I use a simple html/js project on firebase hosting

const http = new XMLHttpRequest();
    const dataObj = {
        "hook_info": {
            "type": "bitrise"
        },
        "build_params": {
            "branch": `${config.git_branch}`,
            "workflow_id": `${config.workflow}`,
            "environments": [
                {"mapped_to":`${config.env_var}`,"value": `${data}`,"is_expand":true}
            ]
        }
    }
    http.open('POST', config.app_api_url, true);
    http.setRequestHeader('Authorization', config.pat)
    http.setRequestHeader('Access-Control-Allow-Origin', "*")
    http.send(JSON.stringify(dataObj));

Did I make a mistake or is it a “bug” ? I searched on google and tried a lot of “fix” without success.

Hello @MrSweeter :wave:

Thanks for bringing this information to light, the developers checked and this is indeed a bug, one that now is being worked on.
As soon as there is progress, we’ll let you know! :slight_smile:

Do I have to do something to move this topic in “issue” instead of “Question & Answer” ?