Currently there are two deployments on GKE my-app-frontend and my-app-backend, both are accessed through an ingress and protected by IAP. my-app-backend also has CORS enabled. When my-app-frontend hosted at my-app.com makes a request to my-app-backend hosted at api.my-app.com it is blocked due to a CORS error: Cross-Origin Resource Sharing error: MissingAllowOriginHeader. I'm looking for a solution that will keep my-app-frontend and my-app-backend on different hosts and does not involve code change.
The same setup works well with Cloudflare Access as you can add my-app.com and api.my-app.com as a trusted origins and it will add a access-control-allow-origin header to the response, but I want to keep it within the CGP ecosystem.
Expected Result:
my-app-backend should be able to make HTTP requests to my-app-frontend while being hosted on different domains (my-app-backend -> api.my-app.com and my-app-frontend -> my-app.com) and should not involve code changes to check for/add headers on my-app-backend.
What I have tried so far:
- enabled HTTP Options in
my-app-backendsettings to not require auth headers for preflight requests. - added
my-app.comandapi.my-app.comas authorized JavaScript origins in the Auth 2.0 Client ID settings. - hosted both deployments on the same domain
my-app-backend->my-app.com/apiandmy-app-frontend->my-app.com, this approach works but it's not what I'm looking for as I want to keep them on different domains.