agent active Last verified 2026-03-29

CORS and Cross-Origin Failures

Runbook for preflight failures, wrong API origins, and wildcard-origin credential issues.

Owners
platform-experience
Source Repos
Applications/TopoloOne, Applications/TopoloSocialize, Applications/TopoloCRM
Systems
Socialize, TopoloCRM, TopoloOne, Topolo Platform
Tags
runbook, cors, cross-origin

What It Is

Use this runbook when the browser blocks API calls because of preflight failures, wildcard credential responses, or incorrect frontend-to-API origin mapping.

How It Works

Cross-origin failures usually mean the browser is calling the wrong host, the API runtime returns the wrong Access-Control-Allow-Origin, or credentials are being sent to a wildcard CORS response.

Interfaces

  • browser network inspector
  • worker/API origin configuration
  • wrangler environment vars such as ALLOWED_ORIGINS

Data Flow

  1. Browser sends a preflight request to the target API origin.
  2. The API runtime returns CORS headers.
  3. The browser decides whether the actual request is allowed.

Failure Modes

  • frontend calling the product app origin instead of the API origin
  • Access-Control-Allow-Origin: * with credentials: include
  • missing origin in allowlist configuration
  • stale route or wrong hostname serving the API

Debugging

  • confirm the exact origin the browser is calling
  • inspect the worker route and CORS allowlist config
  • confirm whether the request is credentialed
  • verify the app is targeting the API host, not the frontend hostname

Change Log / Verification

  • Verified against recent TopoloOne and Socialize resource-binding incidents on 2026-03-29