[BUG] CORS blocks copilot

[Xeen00]

Description of the Bug

To load the copilot-plugins.js for Vaadin Copilot, a GET request is made to cdn.vaadin.com, which is blocked due to a anomaly in the request header. The way I see it, this is a problem that is being done incorrectly from the copilot request/response and is then blocked by cors.

Expected Behavior

We only want to use the copilot for the "Go to Source" feature, which is not available without the copilot and involves sharing data with vaadin servers. Would it be possible to bring back the feature as before?

Versions

Flow: 24.4.4 Vaadin: 24.4.7 Copilot: 24.4.8

[Artur-]

Hi,

To load copilot-plugins.js for Vaadin Copilot, the following code is used

import('https://cdn.vaadin.com/copilot/24.4.8/copilot-plugins.js')

This should not set anything so that request's credentials mode is 'include' and thus the wildcard response should be ok. Is there something in your environment that turns on this mode?

Regardless, we can probably change the cdn response headers to deal better with this scenario.

[Xeen00]

Thank you, preferably, it would make sense to adjust this in the cdn respons to continue to allow secure communication. A response with a wildcard in the header is not so preferable