WAF custom rule blocks calls it should not block

I have R2 set up with CORS and everything is working well. I added a WAF custom rule to prevent access to my r2.example.com if it’s not originating from my web site (which currently is only localhost from my dev machine). So the rule says "Block the request if hostname starts with r2.example.com and referer does not start with localhost.
My javascript code uses fetch to get the R2 resource. I checked that the referer header is correctly set to localhost. I get a CORS error. When the resource is typed in the browser address bar, I get a 403.

In the case of my fetch, the activity rule of the log in the dashboard does not reveal anything else. This page does not even show the referer (this is not an option in the available columns).

Any idea why my call is blocked?

Hey there,

If you are getting a CORS error instead of a 403 error then I do not believe that the issue is the WAF custom rule you have implemented, as you would see a 403 instead if the block was from the WAF. This also explains why you do not see any information in the activity log for the rule, as the rule did not trigger. I would recommend you double-check to see if your CORS settings are correctly configured.

Thanks but this is not the solution.
I’m very surprised, but if I change my rule to referer “does not contain” instead of referer “does not start”, then it works. If you have an explanation…
As I told you, CORS is set up correctly, because I know how to break it by changing allowed origin, method or header :wink: