What does origin ‘*, *’ mean

Question

When fetching a resource from a server with Firefox I get this error message:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource
Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘*, *’

What does ‘*, *’ mean? The server should allow everything with this in the .htaccess

Header set Access-Control-Allow-Origin "*"

Answer 1

Upon receiving duplicate response headers,

Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *

browsers may roll the two values into a single header with a list of comma-delimited values:

Access-Control-Allow-Origin: *, *

This behaviour is explained in RFC 7230, section 3.2.2:

A recipient MAY combine multiple header fields with the same field name into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field value to the combined field value in order, separated by a comma. The order in which header fields with the same field name are received is therefore significant to the interpretation of the combined field value; a proxy MUST NOT change the order of these field values when forwarding a message.

However, according to the Fetch Standard (with specifies the CORS protocol), a value of *, * for the Access-Control-Allow-Origin header doesn't count as an origin wildcard, hence the CORS error you're observing.