CORS issues on Windows

Zoom Apps Configuration
Angular/Firebase web application, hosted on Firebase and using Windows 11/10. The app is available here GitHub - biharygergo/card-estimator: Tiny project to enable remote estimation of sprint cards. and at Zoom Integration - Planning Poker

Description
When I try to use the app on Windows, calls to many services, like Firebase, Analytics or Sentry are blocked by the embedded browser’s CORS policy. There are no issues with the app in the native Edge browser on the same device or on Mac in Zoom or in the browser.

The errors are generic CORS errors, like this:

Access to fetch at 'https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=AIzaSyDcAquwdgHCtC-DUQ_-fMa0tdqUBKVi5C8' from origin 'https://planningpoker.live' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
polyfills.6e2186a06b02df18.js:1 
        
      
        
        
      
        
      
       
        
       POST https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=AIzaSyDcAquwdgHCtC-DUQ_-fMa0tdqUBKVi5C8 net::ERR_FAILED
(anonymous) @ polyfills.6e2186a06b02df18.js:1
o.<computed> @ polyfills.6e2186a06b02df18.js:1
(anonymous) @ main.33e9a7293106c331.js:1
(anonymous) @ main.33e9a7293106c331.js:1
h @ main.33e9a7293106c331.js:1
V @ main.33e9a7293106c331.js:1
invoke @ polyfills.6e2186a06b02df18.js:1
onInvoke @ main.33e9a7293106c331.js:1
invoke @ polyfills.6e2186a06b02df18.js:1
run @ polyfills.6e2186a06b02df18.js:1
(anonymous) @ polyfills.6e2186a06b02df18.js:1
invokeTask @ polyfills.6e2186a06b02df18.js:1
onInvokeTask @ main.33e9a7293106c331.js:1
invokeTask @ polyfills.6e2186a06b02df18.js:1
runTask @ polyfills.6e2186a06b02df18.js:1
_ @ polyfills.6e2186a06b02df18.js:1
invokeTask @ polyfills.6e2186a06b02df18.js:1
invoke @ polyfills.6e2186a06b02df18.js:1
m.args.<computed> @ polyfills.6e2186a06b02df18.js:1
setInterval (async)
d @ polyfills.6e2186a06b02df18.js:1
scheduleTask @ polyfills.6e2186a06b02df18.js:1
scheduleTask @ polyfills.6e2186a06b02df18.js:1
scheduleMacroTask @ polyfills.6e2186a06b02df18.js:1
Me @ polyfills.6e2186a06b02df18.js:1
(anonymous) @ polyfills.6e2186a06b02df18.js:1
o.<computed> @ polyfills.6e2186a06b02df18.js:1
(anonymous) @ main.33e9a7293106c331.js:1
setInterval @ main.33e9a7293106c331.js:1
requestAsyncId @ main.33e9a7293106c331.js:1
schedule @ main.33e9a7293106c331.js:1
schedule @ main.33e9a7293106c331.js:1
schedule @ main.33e9a7293106c331.js:1
h @ main.33e9a7293106c331.js:1
(anonymous) @ main.33e9a7293106c331.js:1
_next @ main.33e9a7293106c331.js:1
next @ main.33e9a7293106c331.js:1
F.subscribe.U.Q.K @ main.33e9a7293106c331.js:1
_next @ main.33e9a7293106c331.js:1
next @ main.33e9a7293106c331.js:1
(anonymous) @ main.33e9a7293106c331.js:1
invoke @ polyfills.6e2186a06b02df18.js:1
run @ polyfills.6e2186a06b02df18.js:1
(anonymous) @ polyfills.6e2186a06b02df18.js:1
invokeTask @ polyfills.6e2186a06b02df18.js:1
runTask @ polyfills.6e2186a06b02df18.js:1
_ @ polyfills.6e2186a06b02df18.js:1
invokeTask @ polyfills.6e2186a06b02df18.js:1
Z @ polyfills.6e2186a06b02df18.js:1
N @ polyfills.6e2186a06b02df18.js:1
B @ polyfills.6e2186a06b02df18.js:1
main.33e9a7293106c331.js:1 
        
       FirebaseError: Firebase: Error (auth/network-request-failed).
    at Je (main.33e9a7293106c331.js:1:770997)
    at fe (main.33e9a7293106c331.js:1:770448)
    at main.33e9a7293106c331.js:1:776218
    at Generator.throw (<anonymous>)
    at h (main.33e9a7293106c331.js:1:1064879)
    at F (main.33e9a7293106c331.js:1:1065126)
    at v.invoke (polyfills.6e2186a06b02df18.js:1:6553)
    at Object.onInvoke (main.33e9a7293106c331.js:1:505988)
    at v.invoke (polyfills.6e2186a06b02df18.js:1:6493)
    at M.run (polyfills.6e2186a06b02df18.js:1:1949)
    at polyfills.6e2186a06b02df18.js:1:16750
    at v.invokeTask (polyfills.6e2186a06b02df18.js:1:7171)
    at Object.onInvokeTask (main.33e9a7293106c331.js:1:505804)
    at v.invokeTask (polyfills.6e2186a06b02df18.js:1:7092)
    at M.runTask (polyfills.6e2186a06b02df18.js:1:2566)
    at _ (polyfills.6e2186a06b02df18.js:1:9188)

I’ve checked a few other Zoom apps using Firebase and I can see similar errors logged to the console (e.g.: Porter by Prezi).

Error?

/create:1 
        
       Access to fetch at 'https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=AIzaSyDcAquwdgHCtC-DUQ_-fMa0tdqUBKVi5C8' from origin 'https://planningpoker.live' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Troubleshooting Routes
I’ve tried this on multiple devices and checked what I could online, but I don’t yet see how this can be solved on the application-side. I’ve tried adding these URLs to the domain whitelist, but that does not seem to have an effect (and it works on Mac already, so that seems unnecessary).

How To Reproduce
Add the app to Zoom, click “Create new Room”, set your name and see the console for errors. Things work fine on Mac, this only happens on Windows.

Well, it looks like this issue was simpler than I thought. It seems that adding the URLs that have the CORS issue to the allowed domains list solves the issue.

This was super confusing for me for two reasons:

  1. Everything works fine on a Mac, so it didn’t occur to me that I’d have to whitelist additional URLs for Windows. Looks like the embedded browsers on the two platforms use a different whitelist?
  2. The error on the console gives no clues that the “CORS” issues are actually not CORS, but a missing configuration error. This lead me down a rabbit hole that it shouldn’t have.

I really hope this was it for my issues (the new release needs to go through submission), but it does work in the test environment already. I’ll leave this thread here so if anyone stumbles into similar CORS issues, this might help them.

3 Likes

Thanks for sharing your solution here @biharygergo!

Wow thank you so much for this! I was really confused by the cors errors. For anyone else seeing firebase cors errors only on windows clients the solution is to update the “Domain Allow List” within the “App Credentials” section of your app in the developer app manager portal. It should contain all the domains that firebase uses such as: