R2 CORS policy not working for localhost in last few days

I have a CORS policy set on a R2 bucket that is mapped to a custom domain. It has been working fine for the last few weeks with no issues. It hosts static json content that is used across multiple domains.

The Allowed Origins is set to several domains, mostly https production domains, but there is a http localhost entry for development. In the last day or two, R2 is no longer setting the allowed origin correctly for the development record.

Anybody else seen this? The CORS policy hasn’t been changed for a week or two, but the problem started showing up in the last day or two?

After more research, it seems that something is caching the Access-Control-Allow-Origin response, seemingly on Cloudflare’s side. I’m seeing the Vary: Origin header on the request, but Cloudflare is responding with the wrong domain for Allowed-Origin. It seems like Vercel has/had a similar problem.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.