JS challenge, R2 assets and CORS issues
When a user of my website Brickfilms.com pass throught the Cloudflare JS challenge, the website can't be loaded, I got CORS errors on JS files. Without the Cloudflare challenge, I don't have any issues to load the page
My JS files are hosted on a subdomain using Cloudflare R2 : assets.brickfilms.com and the CORS of this bucket are correctly configured.
I don't understand why JS resources can't be loaded from the domain brickfilms.com. I have the impression that Cloudflare adds CORS or policy constraints for the challenge page and that it blocks the loading of the site once the challenge is resolved.
Any ideas ?
7 Replies
Any ideas ? ðŸ˜
If you haven't already fixed this, what is the origin of the request that is being blocked (that is giving the cors error). You should be able to see by using the network tool in chrome.
The website is https://brickfilms.com/ and the asset I tried to load is https://assets.brickfilms.com/index.cdec2853.js
Brickfilms.com by Brick à Brack
LEGO® Stop-motion animation videos & movies
Since 2000, Brickfilms.com has been the leading resource for all Brickfilmers, from beginners to experts. Watch brickfilms, share your own, get tips, enter into contests and most of all, have fun!
The 403 happens when I enable the JS challenge, the 200 when I disable it
The assets.brickfilms.com domain is just a R2 bucket
When the JS challenge is enabled, some additionnal headers are automatically added to the R2 files response :
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
- Cross-Origin-Embedder-Policy
These headers are not here if the challenge is disabled
Maybe a bug related to R2?
Any ideas @rhildred ?
is your proxy proxying all of the headers? I had an issue where my CORS proxy wasn't passing on Authorization header. It showed up as a 403 error
It was hard to find because the network tab of the debugger showed it.
That was why I wrote https://github.com/diy-pwa/cloudflare2express. I needed to be able to test the cors proxy and see it in the debugger.
All the files are hosted on a R2 bucket without any specific settings
Cloudflare add headers itself 🤔