What steps does it take to reproduce the issue?

• Set JVM dataverse.cors.origin to multiple origins (comma/space separated), e.g. https://libis.github.io, https://gdcc.github.io.
• From a browser (or curl with an Origin header), call any Dataverse API endpoint (preflight OPTIONS and the actual request) with Origin set to one of the allowed sites.
• Observe response headers and browser console/network.

When does this issue occur?

• On cross-origin API calls when dataverse.cors.origin contains multiple origins.
• Also surfaces when CORS-related config values include surrounding quotes.
• Wildcard * combined with credentialed requests (cookies/Authorization) is rejected by browsers.

Which page(s) does it occurs on?

• Any API endpoint accessed cross-origin, e.g. /api/files/*, /api/access/*, /api/externalTools.

What happens?

• Access-Control-Allow-Origin is sent as a literal comma-separated list (e.g., https://a.example, https://b.example) which browsers reject ("header contains multiple values").
• CORS header values sometimes include quotes (e.g., "Accept, Content-Type,…"), causing preflight failures.
• Vary: Origin is not set when echoing an origin, allowing caches to serve the wrong ACAO across different origins.

To whom does it occur (all users, curators, superusers)?

• Any browser-based clients calling the API from allowed third‑party origins (e.g., previewers/marketplace).

What did you expect to happen?

• Server echoes the single request Origin only when it matches the allowed list.
• Vary: Origin is present when echoing a specific origin.
• Configured CSV values are sanitized (no quotes, normalized lists).
• Wildcard * is used only when explicitly configured and with awareness that credentialed requests will fail per browser rules.

Which version of Dataverse are you using?

• 6.7.1 (Payara 6)

Any related open or closed issues to this bug report?

• Feature Request: #11365 (Allow /api/externalTools to be CORS enabled) — related CORS context but different scope (endpoint access vs. header correctness).

Screenshots:

• Browser console typically shows: “has been blocked by CORS policy: The ‘Access-Control-Allow-Origin’ header contains multiple values”.
• Network tab shows ACAO with the comma-separated list or quoted values.

Are you thinking about creating a pull request for this issue?

• Yes. Plan:
  • Echo the single request Origin when present in dataverse.cors.origin (supports multiple origins).
  • Add Vary: Origin when echoing.
  • Sanitize methods/allow/expose header lists (strip quotes, normalize).
  • Remove reliance on deprecated :AllowCors DB fallback.
  • Add unit tests for wildcard, multi-origin echo, disallowed origin, and sanitization.