Ajax GET请求的XSS问题

Question

I have the following coffee script which performs some sort of login:

signIn: (url, completion) ->
  $.ajax
    method: 'GET'
    url: url
    dataType: 'json'
    error: (jqXHR, status, errorThrown) ->
      completion false, errorThrown
    success: (data)->
      completion true, data.Identifier

When I check the given URL in the browser I get a valid JSON Response back.

However, when this call is executed using JavaScript I get the following error in the console . Please note that I have changed the URLs for obfuscation:

XMLHttpRequest cannot load http://my.servicedomain.com/session/someIdentifier?access_token=secret. 
Origin http://html.server.net is not allowed by Access-Control-Allow-Origin.

These are my headers, which I get from the my.servicedomain.com server:

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 1417
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Authorization
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Authorization
Date: Wed, 10 Jul 2013 14:24:35 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: Keep-Alive

Why do I get this error, even though I have Access-Control-Allow-Origin: * in the response header?

Answer 1

I have just figured out the answer myself. I knew that I had duplicated headers in my response, but I was assuming this would not be a problem.

It looks like this is a Problem according to the CORS Spec :

If the response includes zero or more than one Access-Control-Allow-Origin header values, return fail and terminate this algorithm.

This is also described in this SO Thread:

Will duplicate "Access-Control-Allow-Origin: *" headers break CORS?