[Bug] CORS / allowedDevOrigins issue in Next.js 15 when running in Firebase Cloud Workstations

When running next dev (Next.js 15, canary) ** in Firebase Studio**, I get the following error in the browser console:

⚠ Blocked cross-origin request from 6000-firebase-studio-xxxxx.cloudworkstations.dev to /_next/* resource.
To allow this, configure "allowedDevOrigins" in next.config

Despite attempts to configure the origin, requests to /_next/ resources are blocked due to CORS policy. This breaks dev mode completely — the page doesn’t load static assets (JS/CSS).


:hammer_and_wrench: What I tried

  • Set allowedDevOrigins: ["https://6000-firebase-studio-xxxxx.cloudworkstations.dev"] in next.config.js
  • Also tried using a wildcard:
Set `allowedDevOrigins: ["*.cloudworkstations.dev"]

:red_question_mark:Question

  • Is this the expected behavior?
  • Is there a correct way to define allowedDevOrigins in this remote browser-based dev setup?
  • If this is enforced for security — can this be relaxed in dev with a flag?

Are you placing the allowedDevOrigins in your next.config.js file?

{
  allowedDevOrigins: ['local-origin.dev', '*.local-origin.dev'],
}

Yes. * Is there a correct way to define allowedDevOrigins in this remote browser-based dev setup?