Browser Version: Edge Version 120.0.2210.121 (Official build) (64-bit)
Headscale Version: 0.22.3
Any Browser Errors (control+shift+i in chrome to see)
Access to fetch at 'https://xxx/api/v1/apikey' from origin 'https://xxxx' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
Describe the bug
The problem for CORS is that -
the preflight goes to /api/v1/apikey without credentials (this is by design)
1. Browser treats 401 as no-ok and blocked the CORS request(even though all CORS headers in place).
Access to fetch at 'https://xxx/api/v1/apikey' from origin 'https://xxxx' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
Sounds like CORS will never work unless headscale replies 2xx for OPTIONS requests.
Supporting Details Provide the following:
control+shift+i
in chrome to see) Access to fetch at 'https://xxx/api/v1/apikey' from origin 'https://xxxx' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.Describe the bug The problem for CORS is that -
/api/v1/apikey
without credentials (this is by design)OPTIONS /api/v1/apikey
< HTTP/1.1 401 Unauthorized < Server: openresty < Date: Wed, 10 Jan 2024 03:05:54 GMT < Content-Type: text/plain; charset=utf-8 < Content-Length: 12 < Connection: keep-alive < Access-Control-Allow-Origin: * < Access-Control-Allow-Credentials: true < Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS < Access-Control-Allow-Headers: Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With < Unauthorized
Access to fetch at 'https://xxx/api/v1/apikey' from origin 'https://xxxx' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.