From 573ec2baff1c560c4b8a400cdccb09f4d50882d2 Mon Sep 17 00:00:00 2001 From: Alan Agius <17563226+alan-agius4@users.noreply.github.com> Date: Thu, 9 Apr 2026 14:38:04 +0000 Subject: [PATCH 1/2] fix(@angular/build): allow configuring Access-Control-Allow-Origin via headers option Removes the default Vite CORS origin: true configuration, allowing custom Access-Control-Allow-Origin header configurations to take effect when using the development server. BREAKING CHANGE: The development server (ng serve) no longer automatically mirrors the request origin in the Access-Control-Allow-Origin response header by default. If your application relies on cross-origin requests during local development, you must now explicitly configure the required CORS headers using the headers option in your angular.json configuration. Fixes #32923 --- .../dev-server/tests/options/headers_spec.ts | 14 ++++++++++++++ .../build/src/builders/dev-server/vite/server.ts | 3 --- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts b/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts index bff502b84d4b..44c8f080103d 100644 --- a/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts +++ b/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts @@ -37,6 +37,20 @@ describeServeBuilder(executeDevServer, DEV_SERVER_BUILDER_INFO, (harness, setupT expect(await response?.headers.get('x-custom')).toBe('foo'); }); + it('should include configured Access-Control-Allow-Origin header', async () => { + harness.useTarget('serve', { + ...BASE_OPTIONS, + headers: { + 'Access-Control-Allow-Origin': 'http://example.com', + }, + }); + + const { result, response } = await executeOnceAndFetch(harness, '/main.js'); + + expect(result?.success).toBeTrue(); + expect(await response?.headers.get('access-control-allow-origin')).toBe('http://example.com'); + }); + it('media resource response headers should include configured header', async () => { await harness.writeFiles({ 'src/styles.css': `h1 { background: url('./test.svg')}`, diff --git a/packages/angular/build/src/builders/dev-server/vite/server.ts b/packages/angular/build/src/builders/dev-server/vite/server.ts index 73f58ad5c348..4213fdaf1470 100644 --- a/packages/angular/build/src/builders/dev-server/vite/server.ts +++ b/packages/angular/build/src/builders/dev-server/vite/server.ts @@ -62,9 +62,6 @@ async function createServerConfig( ws: serverOptions.liveReload === false && serverOptions.hmr === false ? false : undefined, proxy, cors: { - // This will add the header `Access-Control-Allow-Origin: http://example.com`, - // where `http://example.com` is the requesting origin. - origin: true, // Allow preflight requests to be proxied. preflightContinue: true, }, From afddf6a2c45824ef2aaba6f79352c3f18db677bf Mon Sep 17 00:00:00 2001 From: Alan Agius <17563226+alan-agius4@users.noreply.github.com> Date: Fri, 10 Apr 2026 10:16:55 +0000 Subject: [PATCH 2/2] fixup! fix(@angular/build): allow configuring Access-Control-Allow-Origin via headers option --- .../builders/dev-server/tests/options/headers_spec.ts | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts b/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts index 44c8f080103d..e104f213cd4a 100644 --- a/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts +++ b/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts @@ -51,6 +51,17 @@ describeServeBuilder(executeDevServer, DEV_SERVER_BUILDER_INFO, (harness, setupT expect(await response?.headers.get('access-control-allow-origin')).toBe('http://example.com'); }); + it('should not include Access-Control-Allow-Origin header by default', async () => { + harness.useTarget('serve', { + ...BASE_OPTIONS, + }); + + const { result, response } = await executeOnceAndFetch(harness, '/main.js'); + + expect(result?.success).toBeTrue(); + expect(await response?.headers.has('access-control-allow-origin')).toBeFalse(); + }); + it('media resource response headers should include configured header', async () => { await harness.writeFiles({ 'src/styles.css': `h1 { background: url('./test.svg')}`,