CORS error with Preview deployment URLs

[reverbePrintemps]

Summary

Hi,

I have a backend that accepts certain explicit origins.

Now Vercel's deployment preview URLs are all different and I'd like to avoid having to add each deploy URL to the list of allowed origins on the backend but instead have a way to allow for origins using a wildcard which follows the pattern for deployment preview URLs: <project-name>-<unique-hash>-<scope-slug>.vercel.app

How could I go about achieving this?

Example

No response

Steps to Reproduce

Here's a bit of the backend code:

origins = [
   # List of origins
]

app = FastAPI(timeout=600)
register_routes(app)

app.add_middleware(
    CORSMiddleware,
    allow_origins=origins,
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

I get a 400 CORS Missing Allow Origin on the OPTIONS preflight request and a NS_ERROR_DOM_BAD_URI on the subsequent POST request.

In the Firefox console, I get:

• Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at {BACKEND_URL}. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 400. and
• Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at {BACKEND_URL}. (Reason: CORS request did not succeed). Status code: (null).

In the Chrome console, I get:

• Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Any help much appreciated!

[HaythemLazaar]

Had the same issue here, I disabled deployment protection for the project and it worked.

[reverbePrintemps]

This means anyone on the internet can access your deployment though. That's not a viable solution unless you have server side authentication. (assuming you need to protect those deployments from being public) Glad it seems seems to be a viable solution in your case though :)

[maiconsanson]

Same here, disabling deployment protection work. But as mentioned, it's not a safe solution. 😞