I have R2 set up with CORS and everything is working well. I added a WAF custom rule to prevent access to my r2.example.com
if it’s not originating from my web site (which currently is only localhost from my dev machine). So the rule says "Block the request if hostname starts with r2.example.com
and referer does not start with localhost.
My javascript code uses fetch to get the R2 resource. I checked that the referer header is correctly set to localhost. I get a CORS error. When the resource is typed in the browser address bar, I get a 403.
In the case of my fetch, the activity rule of the log in the dashboard does not reveal anything else. This page does not even show the referer (this is not an option in the available columns).
Any idea why my call is blocked?