next.js
d0a0474d - fix allowedDevOrigins for no-cors requests (#91506)

Commit
107 days ago
fix allowedDevOrigins for no-cors requests (#91506) This PR makes configured `allowedDevOrigins` apply to cross-site no-cors dev asset requests. When browsers omit Origin for subresource loads, the dev guard now falls back to `Referer` so explicit allowlisted hosts can load `/_next/*` resources in development. Previously, when `allowedDevOrigins` was configured, cross-site no-cors requests to internal Next.js dev resources were still blocked even for allowlisted hosts, because that code path never consulted the allowlist.
Author
Parents
Loading