Skip to content

fix: Add CORS headers to error responses for CM origins#114

Merged
field123 merged 1 commit intomasterfrom
fix/cors-error-responses
Feb 5, 2026
Merged

fix: Add CORS headers to error responses for CM origins#114
field123 merged 1 commit intomasterfrom
fix/cors-error-responses

Conversation

@field123
Copy link
Collaborator

@field123 field123 commented Feb 5, 2026

Summary

  • Adds CORS headers to error responses for Commerce Manager origins
  • Prevents CORS errors from masking actual auth/permission errors

Problem

When credentials are included in a request and the server returns an error without CORS headers, browsers block reading the response entirely. This causes auth errors (401, 403) to appear as CORS errors, making debugging difficult.

Solution

In the error handler (addEndErrorHandlers), check if the request origin is an allowed CM origin and set the appropriate CORS headers before sending the error response.

Test plan

  • Deploy to integration
  • From CM, trigger an auth error (e.g., invalid session)
  • Verify the actual error message is visible in browser console instead of CORS error

@field123
fix: Add CORS headers to error responses for CM origins
89d63d4 
When an error occurs, the error handler now ensures CORS headers are set
for Commerce Manager origins. This prevents CORS errors from masking the
actual error (e.g., auth failures appearing as CORS blocked).

Previously, if a request from CM failed with an error, the browser would
show a CORS error because the error response lacked Access-Control headers.
Now the actual error status and message will be visible in the browser.
@field123 field123 merged commit c88ae0c into master Feb 5, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@field123