The api is accessible via direct access, but error is thrown when the frontend tries to access it.
Everything comes back to normal when the ip is removed, or whitelisted.
The error is:
Access to XMLHttpRequest at âhttps://domain.com/api/xxxâ from origin âhttps://domain.comâ has been blocked by CORS policy: Response to preflight request doesnât pass access control check: No âAccess-Control-Allow-Originâ header is present on the requested resource.
Considering the origin is the same here you shouldnt get that error message. Are you sure that is the error? Can you post a screenshot of the actual error?
Also, as asked earlier, can you provide a URL where that can be reproduced?
Access to XMLHttpRequest at âapi.domain.com/api/xxxâ from origin âdomain.comâ has been blocked by CORS policy: Response to preflight request doesnât pass access control check: No âAccess-Control-Allow-Originâ header is present on the requested resource.
Unfortunately I cannot disclose the real url, but the situation is that apparently while the zoe is in mode challenge, the cloudflare is turning the CORS wildcard api application, to a restricted, and the front-end is unable to fetch data even after completing the challenge.
api.domain.com and domain.com are two different origins from a browser perspective and hence the error. That is not really a Cloudflare issue but youâd probably have to set the correct value for the mentioned header, after which the request should probably pass the origin check.
For follow-up questions Iâd recommend to check out StackExchange and the like.
I am not sure what you mean by ânon-triggered ipsâ. The error message is quite clear and is a standard message in such cases and is not Cloudflare related, please search for that error message for follow-up questions. It is a CORS issue, not a Cloudflare one.
If you post the actual URL, it would be possible to analyse that further. Without the URL there is nothing to test.
I found out the problem is in fact related with cloudflare, however still couldnât find a solution.
What is happening is that after the user performs the challenge (javascript or regular), the session on that specific browser becomes whitelisted. HOWEVER, if the request is made on the firefox, or even postman, this is the begining of the output we already are familiar, and donât belong to my apiâŚ:
So what is happening is that I am manually blacklisting IPs, but then user blacklisted can only whitelist the session, instead of the whole ip, and this is what is causing me the issueâŚ
That is not related to Cloudflare however, but you described the standard workflow. When you pass a challenge that - naturally - only applies to the current session. If you then send out-of-band requests via different channels, they will certainly be challenged too.
Youâd need to rethink your approach in this case, maybe implement authentication on your server-side and drop the challenges.
I understand now how it works and it makes sense for the most common usages.
however I would like to suggest having another type of rules, where user would automatically remove the tagged ip / rule, after just completing the challenge, it would work on this situation for me.