[GH-ISSUE #2369] CORS Pre-flight fails for public resources #12960

Open
opened 2026-05-13 18:28:44 -05:00 by GiteaMirror · 4 comments
Owner

Originally created by @Cavamania on GitHub (Jan 29, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2369

Originally assigned to: @miloschwartz on GitHub.

Describe the Bug

If authorization is enabled on a public resource, the CORS pre-flight request will fail. CORS pre-flight normally doesn't allow extra headers so authentication may fail on the OPTIONS request. There also doesn't seem to be a mechanism to allow the preflight request to bypass auth (e.g. custom rule, CORS settings etc.).

Environment

  • OS Type & Version: Ubuntu 22.04
  • Pangolin Version: 1.15.1
  • Gerbil Version: 1.3.0
  • Traefik Version: v3.6
  • Newt Version: v1.9.0

To Reproduce

  • Start basic API node server
  • Add a resource with SSO enabled
  • Create a share link to create an auth token
  • Make CORS preflight request

Expected Behavior

Preflight requests are allow to pass auth.

Originally created by @Cavamania on GitHub (Jan 29, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2369 Originally assigned to: @miloschwartz on GitHub. ### Describe the Bug If authorization is enabled on a public resource, the CORS pre-flight request will fail. CORS pre-flight normally doesn't allow extra headers so authentication may fail on the OPTIONS request. There also doesn't seem to be a mechanism to allow the preflight request to bypass auth (e.g. custom rule, CORS settings etc.). ### Environment - OS Type & Version: Ubuntu 22.04 - Pangolin Version: 1.15.1 - Gerbil Version: 1.3.0 - Traefik Version: v3.6 - Newt Version: v1.9.0 ### To Reproduce - Start basic API node server - Add a resource with SSO enabled - Create a share link to create an auth token - Make CORS preflight request ### Expected Behavior Preflight requests are allow to pass auth.
GiteaMirror added the Improvementbug labels 2026-05-13 18:28:45 -05:00
Author
Owner

@oschwartz10612 commented on GitHub (Jan 29, 2026):

Yeah I think the solution here is that badger needs to pass CORS requests. Doing a bit of research seems like that is common but we should probably make it optional on the resource.

<!-- gh-comment-id:3819832288 --> @oschwartz10612 commented on GitHub (Jan 29, 2026): Yeah I think the solution here is that badger needs to pass CORS requests. Doing a bit of research seems like that is common but we should probably make it optional on the resource.
Author
Owner

@Identiddycrysis commented on GitHub (Apr 4, 2026):

Hi, unsure if this is related but i believe im having the same/similar issue.When attempting to disable public resources i get a network error from the gui and Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://nota.realwebsite.net/api/v1/resource/2. (Reason: CORS request did not succeed). Status code: (null). in the network tab.Also when attempting to add a new https resource a base domain is not present in the list despite a wildcard domain being present in the domains section.

<!-- gh-comment-id:4187659240 --> @Identiddycrysis commented on GitHub (Apr 4, 2026): Hi, unsure if this is related but i believe im having the same/similar issue.When attempting to disable public resources i get a network error from the gui and Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://nota.realwebsite.net/api/v1/resource/2. (Reason: CORS request did not succeed). Status code: (null). in the network tab.Also when attempting to add a new https resource a base domain is not present in the list despite a wildcard domain being present in the domains section.
Author
Owner

@BryanConradHart commented on GitHub (Apr 13, 2026):

I think I'm getting the same thing, when trying to access my mealie public resource and I haven't logged in in a while:

Access to XMLHttpRequest at 'https://pangolin.mydomain.com/auth/resource/...?redirect=https%3A%2F%2Fmealie.mydomain.com%2Fapi%2Fapp%2Fabout' (redirected from 'https://mealie.mydomain.com/api/app/about') from origin 'https://mealie.mydomain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

the problem goes away if I clear site data (not just clear cache and hard refresh), so there is some element of caching to the problem I'm having (likely in mealie itself), but I figured I'd bring up my experience since it was also a CORS preflight issue.

<!-- gh-comment-id:4233956217 --> @BryanConradHart commented on GitHub (Apr 13, 2026): I think I'm getting the same thing, when trying to access my mealie public resource and I haven't logged in in a while: > Access to XMLHttpRequest at 'https://pangolin.mydomain.com/auth/resource/...?redirect=https%3A%2F%2Fmealie.mydomain.com%2Fapi%2Fapp%2Fabout' (redirected from 'https://mealie.mydomain.com/api/app/about') from origin 'https://mealie.mydomain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. the problem goes away if I clear site data (not just clear cache and hard refresh), so there is some element of caching to the problem I'm having (likely in mealie itself), but I figured I'd bring up my experience since it was also a CORS preflight issue.
Author
Owner

@Cavamania commented on GitHub (May 3, 2026):

This PR: https://github.com/fosrl/pangolin/pull/2131 might be a stop gap measure to allow these requests to succeed, although it's probably not the cleanest solution to the problem.

<!-- gh-comment-id:4367258122 --> @Cavamania commented on GitHub (May 3, 2026): This PR: https://github.com/fosrl/pangolin/pull/2131 might be a stop gap measure to allow these requests to succeed, although it's probably not the cleanest solution to the problem.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#12960