Firebase CORS issue when accessing VPS server

I use Firebase for hosting and have a VPS elsewhere for my API.

In CF, I have my subdomain app.example.com pointing at Firebase with the orange cloud disabled
I also have my API setup as devenv.example.com and pointing at my VPS.

On the SSL/TLS app, I have SSH set to Flexible.

With this configuration, I can access my API on my local development environment, as well as via the Firebase Project URL, i.e. project-id.firebaseapp.com, however, I cannot connect to my API/VPS through my subdomain app.example.com

My app (React) throws a CORS access issue, however CORS is disabled on the VPS and API, so I believe this to be a red herring.

Anyone else in a similar situation found a solution for this/

I know nothing about Firebase, so may have missed something specific to that tool.

If you have CORS ‘disabled’ what does that mean? Is it that you never have a CORS response header on any response?

If you inspect the traffic in chrome devtools or similar, do you see an Origin header in the request? If you do, then you need to have a CORS response header, or the browser will fail to open the resource.

In my environments I inspect the incoming Origin request, and if it matches a whitelist, then I set the Access-Control-Allow-Origin response header to the value of the Origin request header. I do this in VCL, but Cloudflare Workers can do the same thing. Cloudflare includes the Origin header in the cache key, so you don’t need to worry about the wrong value being cached.

You could set:

Access-Control-Allow-Origin: *

Personally I don’t like this unless you are sure the resource is entirely public. Think of the * response as an default allow firewall rule.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.