`/cdn-cgi/trace` endpoint no longer return CORS headers for some domains hosted on Cloudflare

This can be reproduced/validated through

curl https://[domain]/cdn-cgi/trace -I

curl https://[domain]/cdn-cgi/trace -I

curl https://[domain]/cdn-cgi/trace -I

curl https://[domain]/cdn-cgi/trace -I.

Here are some example domains that has its "/cdn-cgi/trace" endpoint returnning the

access-control-allow-origin: *

access-control-allow-origin: *

access-control-allow-origin: *

access-control-allow-origin: * heaedr.

www.cloudflare.com
cloudflarestream.com
cloudflaremirrors.com
pages.dev
www.npmjs.com
cf.bing.com
registry.npmjs.org
medium.com
www.loc.gov
nodejs.org
chat.openai.com
www.chess.com
and many more...

Here are a few example domains that no longer returns the

access-control-allow-origin: *

access-control-allow-origin: *

access-control-allow-origin: *

access-control-allow-origin: * heaeder for its "/cdn-cgi/trace" endpoint:

esm.run
images.weserv.nl
wsrv.nl
use.fontawesome.com
tailwindcss.com
I actually have found more...

Is this an intentional change to the Cloudflare internal? If so, will it be deployed more and more domains in the future?
Or is it configurable with dashboard/API? If so, is it possible for site owners to toggle this?
Will

cdn-cgi/trace

cdn-cgi/trace

cdn-cgi/trace

cdn-cgi/trace endpoint be affected by configured transform rules (like adding static response header?)?

`/cdn-cgi/trace` endpoint no longer return CORS headers for some domains hosted on Cloudflare

Similar Threads

Similar Threads

Similar Threads