Hello,
I’m encountering a persistent CORS issue in my Firebase Studio workspace when attempting to make DELETE requests with cookies from my frontend (running on port 5173) to my backend (Node.js/Express, running on port 3000).
GET and POST requests with cookies are working as expected. However, for DELETE requests to my task deletion endpoint (/api/task/delete/:taskId), the browser’s preflight OPTIONS request is being intercepted and redirected by the workspace.
Here are the details from the web console:
Error Message:
Access to XMLHttpRequest at 'https://3000-idx-webdevelopment-1744699567404.cluster-xpmcxs2fjnhg6xvn446ubtgpio.cloudworkstations.dev/api/task/delete/6818919ca4104f723ca20783' from origin 'https://5173-idx-webdevelopment-1744699567404.cluster-xpmcxs2fjnhg6xvn446ubtgpio.cloudworkstations.dev' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
Preflight Request Header:
OPTIONS /api/task/delete/6818919ca4104f723ca20783 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Method: DELETE
Connection: keep-alive
Host: 3000-idx-webdevelopment-1744699567404.cluster-xpmcxs2fjnhg6xvn446ubtgpio.cloudworkstations.dev
Origin: https://5173-idx-webdevelopment-1744699567404.cluster-xpmcxs2fjnhg6xvn446ubtgpio.cloudworkstations.dev
Referer: https://5173-idx-webdevelopment-1744699567404.cluster-xpmcxs2fjnhg6xvn446ubtgpio.cloudworkstations.dev/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Preflight Response Header (showing the 302 redirect):
HTTP/1.1 302 Found
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS,PATCH,DELETE
Access-Control-Allow-Origin: https://5173-idx-webdevelopment-1744699567404.cluster-xpmcxs2fjnhg6xvn446ubtgpio.cloudworkstations.dev
Content-Length: 0
Date: Wed, 07 May 2025 10:12:20 GMT
Location: https://idx-webdevelopment-1744699567404.cluster-xpmcxs2fjnhg6xvn446ubtgpio.cloudworkstations.dev/_workstation/forwardAuthCookie?_workstationRedirectOrigin=https%3A%2F%2F5173-idx-webdevelopment-1744699567404.cluster-xpmcxs2fjnhg6xvn446ubtgpio.cloudworkstations.dev&redirectToken=Wkl1QSLoA3xKwwBmClWxEw
My backend CORS configuration in DevDash/backend/src/index.ts is as follows:
app.use(cors({
origin:["http://localhost:5173",FRONTEND_URL,"https://idx-webdevelopment-1744699567404.cluster-xpmcxs2fjnhg6xvn446ubtgpio.cloudworkstations.dev/_workstation/forwardAuthCookie?_workstationRedirectOrigin=https%3A%2F%2F5173-idx-webdevelopment-1744699567404.cluster-xpmcxs2fjnhg6xvn446ubtgpio.cloudworkstations.dev&redirectToken=xM7OoCYTerCrYT_VkuI9yQ"], // Note: including the redirect URL here was an attempt to fix, but doesn't seem right. Original intent was to allow the frontend origin.
methods:["GET","POST","DELETE","PUT","OPTIONS"],
credentials:true,
allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With', 'device-remember-token', 'Access-Control-Allow-Origin', 'Origin', 'Accept']
}));
(Note: I’ve included the redirect URL in the origin list in my attempts to fix, but I understand this is likely not the correct approach as the issue is happening before my backend processes the request.)
The issue appears to be the workspace intercepting the preflight OPTIONS request and redirecting it for authentication purposes, which is preventing the actual DELETE request from being sent.
Could anyone provide guidance or a workaround for this specific preflight redirect issue with DELETE requests and cookies within the Firebase Studio environment? Is there a recommended configuration or approach to avoid this interception and allow DELETE requests with cookies to reach the backend correctly?
Thank you for your help!