`/cdn-cgi/trace` endpoint no longer return CORS headers for some domains hosted on Cloudflare
This can be reproduced/validated through
curl https://[domain]/cdn-cgi/trace -I.
Here are some example domains that has its "/cdn-cgi/trace" endpoint returnning the access-control-allow-origin: * heaedr.
- www.cloudflare.com
- cloudflarestream.com
- cloudflaremirrors.com
- pages.dev
- www.npmjs.com
- cf.bing.com
- registry.npmjs.org
- medium.com
- www.loc.gov
- nodejs.org
- chat.openai.com
- www.chess.com
- and many more...
Here are a few example domains that no longer returns the access-control-allow-origin: * heaeder for its "/cdn-cgi/trace" endpoint:
- esm.run
- images.weserv.nl
- wsrv.nl
- use.fontawesome.com
- tailwindcss.com
- I actually have found more...
Is this an intentional change to the Cloudflare internal? If so, will it be deployed more and more domains in the future?
Or is it configurable with dashboard/API? If so, is it possible for site owners to toggle this?
Will cdn-cgi/trace endpoint be affected by configured transform rules (like adding static response header?)?1 Reply
It seems that
https://tailwindcss.com/cdn-cgi/trace starts to send CORS header again, but https://wsrv.nl/cdn-cgi/trace, https://use.fontawesome.com/cdn-cgi/trace, https://esm.run/cdn-cgi/trace, and more are still don't.
Thanks! Would you like to share few insights on this~?