We are using Cloudflare Access and require CORS settings. In two different Cloudflare accounts we have experienced the same issue:
When we try to adjust CORS settings (e.g. Access-Control-Allow-Credentials/Origin/Methods/Headers), the changes are reflected in the user interface.
However, we never observed any changes in Access’s behavior, i.e. the CORS headers of Cloudflare’s servers.
We always had to delete the entire Access Policy and create it from scratch with the desired changed CORS settings.