Fix CORS issues when using minio in development#2814
Merged
flavorjones merged 1 commit intomainfrom Apr 8, 2026
Merged
Conversation
flavorjones
force-pushed
the
fix-dev-minio
branch
from
7081d88 to
d7a95a5
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the development MinIO endpoint hostname so that Active Storage redirects remain same-site with the app, avoiding CORS failures during service worker fetch(..., { mode: "cors" }) requests.
Changes:
- Update the
devminioS3 endpoint fromminio.localhosttominio.fizzy.localhostin both OSS and SaaS storage configs. - Update development CSP overrides (
connect_src,img_src) to allow the new MinIO origin.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
saas/config/storage.yml |
Points SaaS dev MinIO endpoint at minio.fizzy.localhost:39000 to keep redirects same-site. |
config/storage.oss.yml |
Points OSS dev MinIO endpoint at minio.fizzy.localhost:39000 to keep redirects same-site. |
config/environments/development.rb |
Updates CSP allowances to match the new MinIO origin in dev. |
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Move MinIO from minio.localhost to minio.fizzy.localhost, which makes it same-site with the app, so the CORS redirect succeeds. The service worker fetches Active Storage URLs with `mode: "cors"` so it can inspect response sizes for offline caching. Active Storage's redirect controller returns a 302 to the MinIO presigned URL. When that redirect crosses site boundaries (from fizzy.localhost to minio.localhost), the browser sets the Origin header to "null" on the redirected request per the Fetch spec, which fails the CORS check and produces net::ERR_FAILED.
flavorjones
force-pushed
the
fix-dev-minio
branch
from
d7a95a5 to
3560f7a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Move MinIO from minio.localhost to minio.fizzy.localhost, which makes it same-site with the app, so the CORS redirect succeeds.
The service worker fetches Active Storage URLs with
mode: "cors"so it can inspect response sizes for offline caching. Active Storage's redirect controller returns a 302 to the MinIO presigned URL. When that redirect crosses site boundaries (from fizzy.localhost to minio.localhost), the browser sets the Origin header to "null" on the redirected request per the Fetch spec, which fails the CORS check and produces net::ERR_FAILED.