Cache serves incorrect CORS

Hello everyone!
I’ve been experiencing an issue since yesterday with my websites hosted on Cloudflare Pages. Suddenly, I’ve been receiving a CORS error when attempting to interact with the server (hosted on GCP with DNS on Cloudflare and proxy enabled).

I’ve conducted tests, and it appears that the request isn’t reaching my backend, so somehow receives a corrupted set of CORS that I guess is somehow being cached by Cloudflare and then served.
Another important thing is that I’ve disabled the caching of my domain using Cache rules.

Here’s an example of the error in the client console tab (with placeholder domains):

Access to fetch at 'https://zzz.com' from origin 'https://yyy.zzz.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Typically, the issue occurs during the pre-flight of the CORS request when sending the OPTIONS request. Clearing browser cookies sometimes resolves the problem, but it may reoccur.

So to sum it up, my server is always up and available, doesn’t receive the request(the CDN/Cache serves the data), and for some reason, the server returns an incorrect set of CORS.

I’m eagerly awaiting support and assistance on this matter. Thanks!

Can you share a URL that shows the error you are receiving?

Cloudflare Pages has a default access-control-allow-origin: * response header. I’m unclear how you are interacting from Pages to GCP, so its difficult to guess what could be happening here. In a normal Cloudflare Proxy setup, Cloudflare includes the Origin request header in the cache key, so there should not be a situation where the incorrect CORS response from the Origin gets cached against the wrong Origin request header.

Sometimes these types of errors are not related to CORS at all, but the browser reports a CORS error when (for example) the response is a 403 Access Denied error page.

1 Like

Hey Michael,

These are the client URLs: https://reseller.giftoin.org and https://wallet.giftoin.org
These are the server URLs: https://web.reseller.giftoin.org and https://web.wallet.giftoin.org

It suddenly started to happen all over my sites (all of the backends are hosted at GCP and proxied by Cloudflare). The request from the client doesn’t hit my backend and somehow receives a CORS OPTIONS error so I thought that maybe Cloudflare is serving the incorrect CORS. Reminding my backend is allowing my website URLs to send requests in the CORS settings and this issue happens like 30% of the time.