mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-17 07:04:36 -05:00
[GH-ISSUE #2369] CORS Pre-flight fails for public resources #17135
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Cavamania on GitHub (Jan 29, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2369
Originally assigned to: @miloschwartz on GitHub.
Describe the Bug
If authorization is enabled on a public resource, the CORS pre-flight request will fail. CORS pre-flight normally doesn't allow extra headers so authentication may fail on the OPTIONS request. There also doesn't seem to be a mechanism to allow the preflight request to bypass auth (e.g. custom rule, CORS settings etc.).
Environment
To Reproduce
Expected Behavior
Preflight requests are allow to pass auth.
@oschwartz10612 commented on GitHub (Jan 29, 2026):
Yeah I think the solution here is that badger needs to pass CORS requests. Doing a bit of research seems like that is common but we should probably make it optional on the resource.
@Identiddycrysis commented on GitHub (Apr 4, 2026):
Hi, unsure if this is related but i believe im having the same/similar issue.When attempting to disable public resources i get a network error from the gui and Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://nota.realwebsite.net/api/v1/resource/2. (Reason: CORS request did not succeed). Status code: (null). in the network tab.Also when attempting to add a new https resource a base domain is not present in the list despite a wildcard domain being present in the domains section.
@BryanConradHart commented on GitHub (Apr 13, 2026):
I think I'm getting the same thing, when trying to access my mealie public resource and I haven't logged in in a while:
the problem goes away if I clear site data (not just clear cache and hard refresh), so there is some element of caching to the problem I'm having (likely in mealie itself), but I figured I'd bring up my experience since it was also a CORS preflight issue.
@Cavamania commented on GitHub (May 3, 2026):
This PR: https://github.com/fosrl/pangolin/pull/2131 might be a stop gap measure to allow these requests to succeed, although it's probably not the cleanest solution to the problem.