Hi! We’re having an issue while using CORS, we’re on Redwood 2.2.0, and using Netlify for hosting. This behaviour is only happening in production, when following [this guide] (Cross-Origin Resource Sharing | RedwoodJS Docs) to test it locally it works fine.
Previously, we only needed to make CORS requests from a specific URL. With this configuration:
// api/src/functions/graphql.ts
// ...
export const handler = createGraphQLHandler({
// ...
cors: {
origin: 'https://internal.abillion.com',
},
It works fine, here are the relevant response headers of the preflight request to /graphql
from https://internal.abillion.com:
access-control-allow-credentials: true
access-control-allow-headers: authorization,content-type, authorization,content-type
access-control-allow-methods: POST, POST
access-control-allow-origin: https://internal.abillion.com
However, when we try to change that to an array:
// api/src/functions/graphql.ts
// ...
cors: {
origin: ['https://internal.abillion.com', 'https://someotherdomain.com'],
},
We get null
in the allowed origin:
access-control-allow-credentials: true
access-control-allow-headers: authorization,content-type, authorization,content-type
access-control-allow-methods: POST, POST
access-control-allow-origin: null
And when we try with “*”:
// api/src/functions/graphql.ts
// ...
cors: {
origin: ['https://internal.abillion.com', 'https://someotherdomain.com'],
},
We strangely get the same domain twice in the allowed origin, which gives a CORS error as well:
access-control-allow-credentials: true
access-control-allow-headers: authorization,content-type, authorization,content-type
access-control-allow-methods: POST, POST
access-control-allow-origin: https://internal.abillion.com, https://internal.abillion.com
We don’t have any other CORS configuration, be it for authentication, or on Netlify (including netlify.toml).
Has anybody else faced this issue? Any pointers how we could fix it? Thanks a lot!