What is the name of the domain?
Related to
Access
What is the error number?
Access to fetch at ‘https:// (name) cloudflareaccess com/cdn-cgi/access/login/api example com?kid={data}’ (redirected from ‘https:// api example com/’) from origin ‘https:// toggle example com/’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.
What is the issue you’re encountering
Subdomains can’t communicate with API calls because of Zero Trust CORS not working
What steps have you taken to resolve the issue?
I’ve tried everything from putting necessary CORS for both the API worker code and the Application settings in Zero Trust. I’ve tried all the domains and subdomains in Access-Control-Allow-Origin, All options in Access-Control-Allow-Methods and Access-Control-Allow-Headers. Access-Control-Allow-Credentials don’t know what it does, but I tried it in different configurations as well same with Bypass options requests to origin. I tried different policies like Passwords, Bypass, Allow, Service token (I didn’t know how to use it with HTML), my HTML page is basically just const workerURL = “https://api example com/”; (link removed for forum) and then it makes the API calls with Post methods, this works if I disable Zero Trust without issues. I also enabled CORS for the subdomains in R2 Bucket.
What are the steps to reproduce the issue?
I have 2 subdomains, one HTML https:// toggle example com/ for controlling different options for the API and the second just a cloudflare worker https:// api example com/ for controlling the API requests for stuff in my R2 Bucket.
This is how the CORS looks like in the API Worker
const headers = {
“Content-Type”: “application/json”,
“Access-Control-Allow-Origin”: “https:// toggle example com”, (link removed for forum)
“Access-Control-Allow-Methods”: “GET, POST, OPTIONS”,
“Access-Control-Allow-Headers”: “Content-Type, Authorization”
};