Allow CORS preflight (OPTIONS) requests to pass through to application | Voters

Allow CORS preflight (OPTIONS) requests to pass through to application

Muhammad

Problem:
The Envoy gateway intercepts CORS preflight (OPTIONS) requests and returns wildcard headers (Access-Control-Allow-Origin: *
) before they reach our FastAPI application.
This breaks credentialed requests because browsers reject Access-Control-Allow-Origin: *
 when credentials: 'include'
 is used. This is per the CORS specification.
Current behavior:
- Browser sends OPTIONS preflight with Access-Control-Request-Headers
- Gateway intercepts and returns Access-Control-Allow-Origin: *
- Browser blocks the actual request because wildcards can't be used with credentials
Expected behavior:
- OPTIONS requests should pass through to the application
- Application returns specific origin: Access-Control-Allow-Origin: https://mydomain.com
- Browser allows the credentialed request
Use case:
We have a SaaS application with a custom domain. Our frontend (on a different domain) makes authenticated API calls with cookies/credentials. Without proper CORS handling, our custom domain is unusable for
production.
Suggested solutions (any would work):
1. Option to disable gateway-level CORS handling entirely
2. Option to pass-through OPTIONS requests to the application
3. Configuration to specify allowed origins at the gateway level
This is blocking our production deployment on a custom domain.

A week ago