DELETE endpoints do not include ‘Access-Control-Allow-Origin’ in the header which causes web browsers to report a CORS error

[mwoolweaver]

Versions

Core
Version is v6.0.4-1-ga7e414ac (Latest: null)
Branch is development
Hash is a7e414a (Latest: a7e414a)
Web
Version is v6.0.1-10-gec8beaf5 (Latest: null)
Branch is development
Hash is ec8beaf5 (Latest: ec8beaf5)
FTL
Version is vDev-39a852e (Latest: null)
Branch is development
Hash is 39a852e (Latest: 39a852e)

Platform

• OS and version: Ubuntu 24.04.2

• Platform: Raspberry Pi 4

Expected behavior

Access-Control-Allow-Origin: * to be in the header like it is with other endpoints

Actual behavior / bug

Access-Control-Allow-Origin: * is missing and seems to cause Firefox and Chrome to report a CORS error

Steps to reproduce

Steps to reproduce the behavior:

https://gist.github.com/mwoolweaver/f5fe7a58f38cfe68e05b7b5e491e65fc

simple website to allow quickly disabling pihole via bookmark

1. download the file locally (not on Pi-hole)

2. Open in firefox or chrome and fill in the boxes with relevant info and open the inspector before clicking submit

3. click submit and watch the DELETE request show a CORS error

4. now host that same file on the Pi-hole device, repeat steps 2 & 3

5. now you will see the 204 response that's expected without the CORS error

Debug Token

• URL: https://tricorder.pi-hole.net/u4r5FwQr/

Screenshots

Additional context

Add any other context about the problem here.

[mwoolweaver]

i know that additional headers can be included but i don't understand what causes the DELETE to fail when not hosted on Pi-hole device and all the other requests are successful

[mwoolweaver]

Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *

these are included in the response of every other endpoint that's not a DELETE endpoint from what i can see.

[DL6ER]

Access-Control-Allow-Origin: * to be in the header like it is with other endpoints

Is it?

From another machine:

$ curl -Ik https://pi.hole/admin/login
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate, private, max-age=0
Expires: 0
Pragma: no-cache
Content-Security-Policy: default-src 'self' 'unsafe-inline';
X-Frame-Options: DENY
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: text/html; charset=utf-8
Date: Sun, 23 Feb 2025 18:47:38 GMT
Connection: close

On the Pi-hole itself:

$ curl -Ik https://localhost/admin/login
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate, private, max-age=0
Expires: 0
Pragma: no-cache
Content-Security-Policy: default-src 'self' 'unsafe-inline';
X-Frame-Options: DENY
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: text/html; charset=utf-8
Date: Sun, 23 Feb 2025 18:48:32 GMT
Connection: close

I don't see Access-Control-Allow-Origin or any of its friends here.

[mwoolweaver]

I wonder where Firefox and Chrome are getting them from?

this is Firefox

this is Chrome

if this is a browser issue feel free to close.

[DL6ER]

I am undecided concerning the Access-Control-Allow-Origin (and friends) headers. How should they look like on Pi-hole? Should we set them?