Skip to content

Cloudflare authenticated remote gateway generates CORs error #688

Open
Open
Cloudflare authenticated remote gateway generates CORs error#688
@oidebrett

Description

@oidebrett
oidebrett
opened on Mar 30, 2026

Problem Statement

In the authentication flow, when you click "Connect To Gateway" the browser sends a "preflight" (OPTIONS) request to the CLI process on http://127.0.0.1. That preflight fails or is blocked by the browser's own security layer and the actual connection is never made.

The reason, Chrome (and other modern browsers) recently tightened security for "Private Network Access." A public website (like the gateway connect page on a url like https://openshell.mydomain.com) is not allowed to communicate with the local machine (http://127.0.0.1).

Proposed Design

Easy Documentation Fix: Add in the documentation: In chrome this can be fixed by chrome://flags#local-network-access-check and set it to Enabled (Blocking). This will trigger a one-time permission prompt for the site instead of a hard block.

Alternatives Considered

Longer term fix:

Option 1: Add Private Network Access header (minimal fix)**

  • Add this response header in your CORS handling:

Access-Control-Allow-Private-Network: true

Option 2: Use localhost instead of 127.0.0.1

  • Change:

fetch("http://127.0.0.1:" + port + "/callback")
to:

fetch("http://localhost:" + port + "/callback")

None of these have been tested. I am happy to make a PR

Agent Investigation

No response

Checklist

  • I've reviewed existing issues and the architecture docs
  • This is a design proposal, not a "please build this" request

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions