Since the site started to generate these CORS errors, I did some debugging and noticed that the Dato CMS GraphQL API returns http://localhost:5173 as Access-Control-Allowed-Origin on a totally different domain. This is the URL I was previously using for local developing.
The issue doesn’t arise when the Browser performs the requests, it’s strictly happening in a Server-to-Server context. So I was wondering why this is? Could it be, that DatoCMS caches an origin for a given API Key? Could it be that the Origin header is missing in the request and DatoCMS is using a cached value for the response?
Why is DatoCMS not responding with Access-Control-Allowed-Origin: * ?
Quick update: I can confirm that the request does not have an Origin header value set when doing Server-to-Server communication. So the question/problem boils down to:
If the graphql request does not have an Origin set, the response from DatoCMS might contain an invalid Access-Control-Allowed-Origin value. Ideally, the value would be * in these cases…