Unable to set CORS header for access application to allow any origin

I want to allow cors with credentials to a certain API I’m creating, it’s for a bookmarklet so it should be allowed to POST from any origin.

If I use the dash.teams.cloudflare dashboard I cannot save my application when I select allow all origins and allow credentials at the same time.

If I try to do it through the API with this body:

"name": "redacted",
"domain": "redacted",
"cors_headers": {
    "max_age": 86400,
  "allow_all_headers": true,
  "allow_all_methods": true,
  "allow_credentials": true,
  "allow_all_origins": true

I get an error 12058,

  "result": null,
  "success": false,
  "errors": [
      "code": 12058,
      "message": "access.api.error.invalid_cors_origins"
  "messages": []

Is there a reason the this cannot be enabled? Does anyone know how to enable it?

I’m pretty sure that allow credentials is not compatible with access-control-allow-origin: *, you have to explicitly specify the origin in the response header.

I’ll try and find the reference.

In the headers that is true, but the implementation in this case should be that you return the provided origin in the response header.

Also if this is the reason, the error message in the dashboard could be much improved.