Problem
When a Cross-origin resource sharing (CORS) request is sent to an App Engine service running behind Identity Aware Proxy (IAP) either from a different App Engine service or a different resource, the browser throws CORS errors.
Environment
- App Engine Standard
- Flexible environments
Solution
- Enable HTTP OPTIONS (CORS preflight) request on IAP by following our public documentation.
Cause
Each App Engine service has a different subdomain which would make the JavaScript requests between the services cross-origin requests. When a browser detects a CORS request, it first sends an OPTIONS (preflight) request to the endpoint before sending the actual request, the actual request is only sent if the response to the preflight request contains the access-control-allow-origin header with the value containing the origin domain or the wildcard *. More information about CORS can be found here. IAP has CORS disabled by default. Enabling the same will fix the issue.