2026-05-05. When a Worker is gated by Cloudflare Access AND called via cross-domain fetch with credentials, the OPTIONS preflight gets blocked by Access (no auth cookie on preflight) → "Failed to fetch" in browser. Fix = flip "Bypass options requests to origin" toggle in the Access app's Additional Settings → CORS headers tab. Worker handles CORS itself. One toggle, instant fix.
That tells Cloudflare Access to send OPTIONS requests straight to the Worker without authentication. The Worker handles CORS itself (must return Access-Control-Allow-Origin, Allow-Methods, Allow-Headers, Allow-Credentials). The actual POST request still requires the Access auth cookie.
Read the doctrine. Apply it on the next ship cycle.
2026-05-05. When a Worker is gated by Cloudflare Access AND called via cross-domain fetch with credentials, the OPTIONS preflight gets blocked by Access (no auth cookie on preflight) → "Failed to fetch" in browser. Fix = flip "Bypass options requests to origin" toggle in the Access app's Additional Settings → CORS headers tab. Worker handles CORS itself. One toggle, instant fix.
"I'm almost positive I can help. If I can't, you don't pay."
— PJ · SideGuy Solutions · 858-461-8054 · sms:+18584618054
📲 Text PJ — 858-461-8054
Text PJ ⚡
858-461-8054