Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access-Control-Allow-Origin header missing in dev server for assets #29549

Closed
1 task done
vkennke opened this issue Jan 31, 2025 · 6 comments · Fixed by #29607
Closed
1 task done

Access-Control-Allow-Origin header missing in dev server for assets #29549

vkennke opened this issue Jan 31, 2025 · 6 comments · Fixed by #29607
Assignees
@alan-agius4
Labels
angular/build:dev-server area: @angular/build freq1: low Only reported by a handful of users who observe it rarely severity5: regression type: bug/fix

Comments

@vkennke
Copy link

vkennke commented Jan 31, 2025

Command

serve

Is this a regression?

  • Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

@angular-devkit/build-angular 19.1.4

Description

Starting with Angular 19.1.5, when running the development server using ng serve, the Access-Control-Allow-Origin header is no longer included in responses when accessing assets. In version 19.1.4, this header was still being sent with the value '*'.

This affects cross-origin requests to static assets served by the development server.

Minimal Reproduction

Repository for minimal reproduction:
[Link to Git Repository]

Steps to reproduce:

  1. Clone repository and install dependencies:
git clone https://github.com/vkennke/angular-cors.git
cd angular-cors
npm install
  1. Start dev server:
ng serve
  1. Access http://localhost:4200/assets/test.txt and check response headers

Expected behavior:
Response headers include Access-Control-Allow-Origin: *

Actual behavior:
Access-Control-Allow-Origin header is missing from response

To verify this is a regression:

  1. Edit package.json to set @angular-devkit/build-angular to 19.1.4:
"@angular-devkit/build-angular": "19.1.4"
  1. Repeat steps 2-3
  2. Observe that the Access-Control-Allow-Origin: * header is present

Exception or Error

No error is thrown, but the missing header prevents cross-origin requests from succeeding.

Your Environment

Angular CLI: 19.1.5
Node: 20.18.0
Package Manager: npm 10.8.2
OS: win32 x64

Angular: 19.1.4
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1901.5
@angular-devkit/build-angular   19.1.5
@angular-devkit/core            19.1.5
@angular-devkit/schematics      19.1.5
@angular/cli                    19.1.5
@schematics/angular             19.1.5
rxjs                            7.8.1
typescript                      5.7.3
zone.js                         0.15.0

Anything else relevant?

No response
@vkennke vkennke changed the title Access-Control-Allow-Origin header missing in dev server for assets starting with Angular 19.1.5 Access-Control-Allow-Origin header missing in dev server for assets Jan 31, 2025
@alan-agius4
Copy link
Collaborator

Can you explain why you need this header? If you're accessing resources from a different host, this behavior is expected. For more details, see: #29471.

@alan-agius4 alan-agius4 added the needs: more info Reporter must clarify the issue label Feb 10, 2025
@AndreKoepke
Copy link

Can you explain why you need this header?

Longer answer

In our case: We have a multi-frontend-system. The "main"-system runs somewhere in cloud (for example under "example.com") and loads its configured subsystems from various different domains ("exampleA.com", "exampleB.com", and so on).
Each subsystem has a defined entrypoint - the asset-file "manifest.json". Have a look at scion-workbench for more details.

For developing-purposes it is necessary that we can use the "manifest.json" from our local environment. We can say at domain "example.com" that one manifest can be found at localhost. Then the system tries to load the "localhost:4200/assets/manifest.json" file while the webpage is running under "example.com".

I will have a look at #29471 tomorrow. Maybe it solves our problems.
For us, it was a big surprise that jumping to the next patch release causing these kinds of troubles.

@vkennke
Copy link
Author

vkennke commented Feb 11, 2025

Patch versions should never introduce breaking changes.

Our workaround is to set the header manually.

"serve": {
          "builder": "@angular-devkit/build-angular:dev-server",
          "options": {
            "headers": {
              "Access-Control-Allow-Origin": "*"
            },

@AndreKoepke
Copy link

Can you explain why you need this header? If you're accessing resources from a different host, this behavior is expected. For more details, see: #29471.

I tried to set

"serve": {
      "builder": "@angular-devkit/build-angular:dev-server",
      "options": {
        "allowedHosts": ["example.com"]
      },

but it won't work. I got a warning "The "allowedHosts" option will not be used because it is not supported by the "@angular-devkit/build-angular:application" builder.", is it already released?

The workaround of @vkennke works well.

@alan-agius4
Copy link
Collaborator

alan-agius4 commented Feb 11, 2025
edited
Loading

The warning is no longer relevant and should be removed, setting the allowedHosts. I did some further digging and indeed the Access-Control-Allow-Origin is not added in this case.

@vkennke, you're right that patch updates should avoid breaking changes. However, in this case, it was necessary to address a security vulnerability in Vite.

@alan-agius4 alan-agius4 self-assigned this Feb 11, 2025
@alan-agius4 alan-agius4 added type: bug/fix freq1: low Only reported by a handful of users who observe it rarely severity5: regression area: @angular/build angular/build:dev-server and removed needs: more info Reporter must clarify the issue labels Feb 11, 2025
alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Feb 11, 2025
@alan-agius4
fix(@angular/build): configure Vite CORS option
8349508 
Vite's `allowedHosts` option does not enable CORS; instead, it allows the dev server to respond to requests with a matching hostname (e.g., http://example.com/main.js). It only verifies that the request’s hostname is on the allowed list. However, this does not consider the `origin` in the case of a CORS request.

This commit updates Vite's configuration to enable CORS.

Closes angular#29549
alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Feb 11, 2025
@alan-agius4
fix(@angular/build): configure Vite CORS option
5d3cc6b 
Vite's `allowedHosts` option does not enable CORS; instead, it allows the dev server to respond to requests with a matching hostname (e.g., http://example.com/main.js). It only verifies that the request’s hostname is on the allowed list. However, this does not consider the `origin` in the case of a CORS request.

This commit updates Vite's configuration to enable CORS.

Closes angular#29549
@alan-agius4 alan-agius4 mentioned this issue Feb 11, 2025
Merged
alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Feb 12, 2025
@alan-agius4
fix(@angular/build): configure Vite CORS option
eefbeed 
Vite's `allowedHosts` option does not enable CORS; instead, it allows the dev server to respond to requests with a matching hostname (e.g., http://example.com/main.js). It only verifies that the request’s hostname is on the allowed list. However, this does not consider the `origin` in the case of a CORS request.

This commit updates Vite's configuration to enable CORS.

Closes angular#29549
alan-agius4 added a commit that referenced this issue Feb 12, 2025
@alan-agius4
fix(@angular/build): configure Vite CORS option
df1d388 
Vite's `allowedHosts` option does not enable CORS; instead, it allows the dev server to respond to requests with a matching hostname (e.g., http://example.com/main.js). It only verifies that the request’s hostname is on the allowed list. However, this does not consider the `origin` in the case of a CORS request.

This commit updates Vite's configuration to enable CORS.

Closes #29549

(cherry picked from commit be15b88)
@AndreKoepke
Copy link

Confirmed. In 19.1.7 is all fine again. Thanks @alan-agius4. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alan-agius4 alan-agius4

Labels
angular/build:dev-server area: @angular/build freq1: low Only reported by a handful of users who observe it rarely severity5: regression type: bug/fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(@angular/build): configure Vite CORS option alan-agius4/angular-cli
3 participants
@AndreKoepke @alan-agius4 @vkennke