Temporarily set ‘*’ to eliminate variables while testing. I have also attempted setting urls explicitly to no avail.
However, despite the above, we still get
Blockquote
No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
Context: We have a unity based iOS client that interfaces with some discourse APIS and for testing we use WebGL. And we face this issue when testing on our browsers running WebGL specifically.
I am also observing from postman tests that all requests have a ‘strict-origin-when-cross-origin’ Referrer-Policy in the response headers.
I’m not sure we support the wildcard here. Can you try it with a real domain? We are using the cors settings in a couple sites with domains configured and it appears to work fine.
I attempted with a domain, no luck. Is there a way to confirm that the env vars are set correctly? (or that the app restart configured the cors without resending requests, just trying to think of ways to debug).
I think this is the part of code that handles the cors settings, just in case it is useful.