github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #1538] CORS errors when loading manifest.json behind Cloudflare Access #28069

New Issue
Closed
opened 2026-04-25 02:48:28 -05:00 by GiteaMirror · 13 comments
GiteaMirror commented 2026-04-25 02:48:28 -05:00
Owner
Copy Link

Originally created by @cybersholt on GitHub (Apr 13, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/1538

Bug Report

Description

Bug Summary:
The manifest.json file fails to load when Open WebUI is deployed in a self-hosted environment with Cloudflare Access enabled.

Steps to Reproduce:

  1. Deploy Open WebUI on your own self-hosted deployment.
  2. Configure Cloudflare to handle DNS and point a DNS record to the Open WebUI deployment.
  3. Activate Cloudflare Access.
  4. Attempt to access the Open WebUI and observe the error.

Expected Behavior:
The manifest.json should load successfully without any CORS issues, allowing for proper functionality of the web UI.

Actual Behavior:
The manifest.json file does not load as expected, likely due to a CORS error, resulting in a dysfunctional or partially loaded web UI.

Environment

  • Operating System: Windows 10
  • Browser (if applicable): N/A Brave / Chromium 123.0.6312.122

Reproduction Details

Confirmation:

  • I have read and followed all the instructions provided in the README.md.
  • I am on the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.

Logs and Screenshots

Browser Console Logs:
Manifest: Line: 1, column: 1, Syntax error.

Docker Container Logs:
N/A

Screenshots (if applicable):
Error 1:
Error 1
Error 2:
Error 2
Example Fix:
Fix

Installation Method

Docker

Additional Information

This bug is the same as: https://github.com/outline/outline/issues/1850 and only requires modifying the manifest link element to include the attribute crossorigin="use-credentials". This allows the manifest to be loaded with credentials such as cookies or authorization headers.

I was able to test the validity of this by modifying the code in /app/build/index.html from:
<link rel="manifest" href="manifest.json">
to:
<link rel="manifest" href="manifest.json" crossorigin="use-credentials">

Originally created by @cybersholt on GitHub (Apr 13, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/1538 # Bug Report ## Description **Bug Summary:** The manifest.json file fails to load when Open WebUI is deployed in a self-hosted environment with Cloudflare Access enabled. **Steps to Reproduce:** 1. Deploy Open WebUI on your own self-hosted deployment. 2. Configure Cloudflare to handle DNS and point a DNS record to the Open WebUI deployment. 3. Activate Cloudflare Access. 4. Attempt to access the Open WebUI and observe the error. **Expected Behavior:** The manifest.json should load successfully without any CORS issues, allowing for proper functionality of the web UI. **Actual Behavior:** The manifest.json file does not load as expected, likely due to a CORS error, resulting in a dysfunctional or partially loaded web UI. ## Environment - **Operating System:** Windows 10 - **Browser (if applicable):** N/A Brave / Chromium 123.0.6312.122 ## Reproduction Details **Confirmation:** - [x] I have read and followed all the instructions provided in the README.md. - [x] I am on the latest version of both Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. ## Logs and Screenshots **Browser Console Logs:** Manifest: Line: 1, column: 1, Syntax error. **Docker Container Logs:** N/A **Screenshots (if applicable):** Error 1: ![Error 1](https://github.com/open-webui/open-webui/assets/1348086/b6d85303-9930-4e82-a6d2-496af2178c11) Error 2: ![Error 2](https://github.com/open-webui/open-webui/assets/1348086/51c6d716-2f1a-40a2-adff-7719bf52372f) Example Fix: ![Fix](https://github.com/open-webui/open-webui/assets/1348086/18a5a031-192e-412d-9ef3-7ba11e1de46e) ## Installation Method Docker ## Additional Information This bug is the same as: https://github.com/outline/outline/issues/1850 and only requires modifying the manifest link element to include the attribute crossorigin="use-credentials". This allows the manifest to be loaded with credentials such as cookies or authorization headers. I was able to test the validity of this by modifying the code in /app/build/index.html from: `<link rel="manifest" href="manifest.json">` to: `<link rel="manifest" href="manifest.json" crossorigin="use-credentials">`
GiteaMirror commented 2026-04-25 02:48:30 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Apr 13, 2024):

Made the change in our dev branch, let us know if that fixes the issue. Thanks!

<!-- gh-comment-id:2053768169 --> @tjbck commented on GitHub (Apr 13, 2024): Made the change in our dev branch, let us know if that fixes the issue. Thanks!
GiteaMirror commented 2026-04-25 02:48:31 -05:00
Author
Owner
Copy Link

@cybersholt commented on GitHub (Apr 14, 2024):

@tjbck Thanks for the quick response and the fix, works great!

<!-- gh-comment-id:2054131212 --> @cybersholt commented on GitHub (Apr 14, 2024): @tjbck Thanks for the quick response and the fix, works great!
GiteaMirror commented 2026-04-25 02:48:31 -05:00
Author
Owner
Copy Link

@oreeke commented on GitHub (Mar 12, 2025):

@tjbck The error is still there, why was the fix canceled?

<!-- gh-comment-id:2717923109 --> @oreeke commented on GitHub (Mar 12, 2025): @tjbck The error is still there, why was the fix canceled?
GiteaMirror commented 2026-04-25 02:48:32 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Mar 17, 2025):

@oreeke as you can see, nobody reported this in almost a full year and it was fixed and the original poster of the issue confirmed it was fixed.

So it was fixed. Therefore, it was closed.
If you have a similar problem, it is more than probable it is due to misconfiguration on your side than open-webui.
If you have issues with CORS, try setting the CORS environment variable accordingly.

<!-- gh-comment-id:2729238593 --> @Classic298 commented on GitHub (Mar 17, 2025): @oreeke as you can see, nobody reported this in almost a full year and it was fixed **and the original poster of the issue confirmed it was fixed.** So it was fixed. Therefore, it was closed. If you have a similar problem, it is more than probable it is due to misconfiguration on your side than open-webui. If you have issues with CORS, try setting the CORS environment variable accordingly.
GiteaMirror commented 2026-04-25 02:48:33 -05:00
Author
Owner
Copy Link

@themw123 commented on GitHub (Mar 17, 2025):

I am facing a similar issue: in browser console i am getting:

my.domain.com/:1 Access to manifest at 'https://domain.cloudflareaccess.com/cdn-cgi/access/login/my.domain.com?kid=...' (redirected from 'https://my.domain.com/manifest.json') from origin 'https://my.domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
<!-- gh-comment-id:2729289839 --> @themw123 commented on GitHub (Mar 17, 2025): I am facing a similar issue: in browser console i am getting: ``` my.domain.com/:1 Access to manifest at 'https://domain.cloudflareaccess.com/cdn-cgi/access/login/my.domain.com?kid=...' (redirected from 'https://my.domain.com/manifest.json') from origin 'https://my.domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. ```
GiteaMirror commented 2026-04-25 02:48:33 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Mar 17, 2025):

looks like you did not set the CORS policy via environment variable.

<!-- gh-comment-id:2729723126 --> @Classic298 commented on GitHub (Mar 17, 2025): looks like you did not set the CORS policy via environment variable.
GiteaMirror commented 2026-04-25 02:48:34 -05:00
Author
Owner
Copy Link

@oreeke commented on GitHub (Mar 17, 2025):

@Classic298
Perhaps you are commenting without understanding the issue at all. And the problem isn't being reported further simply because there are fewer application scenarios.
The error log mentions CORS, but that's not the root cause.
Maybe you should use google or look at other similar issues in github.
This issue was fixed at one point, but for whatever reason it was canceled, which is what I'm asking about.

<!-- gh-comment-id:2730049885 --> @oreeke commented on GitHub (Mar 17, 2025): @Classic298 Perhaps you are commenting without understanding the issue at all. And the problem isn't being reported further simply because there are fewer application scenarios. The error log mentions CORS, but that's not the root cause. Maybe you should use google or look at other similar issues in github. This issue was fixed at one point, but for whatever reason it was canceled, which is what I'm asking about.
GiteaMirror commented 2026-04-25 02:48:35 -05:00
Author
Owner
Copy Link

@oreeke commented on GitHub (Mar 17, 2025):

@themw123
It is possible to temporarily apply a bypass policy to manifest.json to ignore this issue.

<!-- gh-comment-id:2730095333 --> @oreeke commented on GitHub (Mar 17, 2025): @themw123 It is possible to temporarily apply a bypass policy to manifest.json to ignore this issue.
GiteaMirror commented 2026-04-25 02:48:35 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Mar 17, 2025):

If that's the case, pardon

<!-- gh-comment-id:2730095756 --> @Classic298 commented on GitHub (Mar 17, 2025): If that's the case, pardon
GiteaMirror commented 2026-04-25 02:48:35 -05:00
Author
Owner
Copy Link

@oreeke commented on GitHub (Mar 17, 2025):

@Classic298
Not a big deal.
I was thinking they didn't use a fix like <link rel="manifest" href="manifest.json" crossorigin="use-credentials">.
Possibly due to other concerns, or a more elegant approach.

<!-- gh-comment-id:2730158711 --> @oreeke commented on GitHub (Mar 17, 2025): @Classic298 Not a big deal. I was thinking they didn't use a fix like `<link rel="manifest" href="manifest.json" crossorigin="use-credentials">`. Possibly due to other concerns, or a more elegant approach.
GiteaMirror commented 2026-04-25 02:48:36 -05:00
Author
Owner
Copy Link

@themw123 commented on GitHub (Mar 18, 2025):

Fixed it by setting a bypass rule in cloudflare for my.domain.com/config.json

<!-- gh-comment-id:2734099715 --> @themw123 commented on GitHub (Mar 18, 2025): Fixed it by setting a bypass rule in cloudflare for my.domain.com/config.json
GiteaMirror commented 2026-04-25 02:48:37 -05:00
Author
Owner
Copy Link

@oreeke commented on GitHub (Mar 18, 2025):

@themw123
Using the bypass rule for config.json is not secure; you can set only my.domain.com/manifest.json.

<!-- gh-comment-id:2734826291 --> @oreeke commented on GitHub (Mar 18, 2025): @themw123 Using the bypass rule for config.json is not secure; you can set only my.domain.com/manifest.json.
GiteaMirror commented 2026-04-25 02:48:37 -05:00
Author
Owner
Copy Link

@oreeke commented on GitHub (Apr 13, 2025):

This issue was fixed in 0.6.3.

<!-- gh-comment-id:2799943123 --> @oreeke commented on GitHub (Apr 13, 2025): This issue was fixed in 0.6.3.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#28069
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?