Hi. I’m absolutely loving the new App Builder! I’m having one issue that I hope someone can assist with. I’m self-hosting BaseRow in a docker container and accessing it through a CloudFlare Tunnel. I set it up like this for a bit of added security. It has always worked fine accessing BaseRow. And for the most part, it works when accessing Application pages that are published.
However, on pages that contain certain elements, I get an error: "Network error Could not connect to the API server. If I look in the dev console of my browser, I see an error: "Access to XMLHttpRequest at ‘<https://my-baserow-url/api/builder/data-source/36/dispatch/?offset=42&count=58’ from origin ‘https://my-published-url’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
I’m not sure if this is too specific to warrant looking into. It is definitely related to the tunnel, because if I set the tunnel to “bypass” it works fine. Most pages still work - they just show the error. However some do not work at all.
It may just be a case that you cannot support access via a non-standard way like a CloudFlare tunnel. but I thought it was worth asking.
Not sure if it helps, but I found this article in CloudFlare KBs:
I see an error saying No Access-Control-Allow-Origin header is present on the requested resource.
Cloudflare Access requires that the credentials: same-origin parameter be added to JavaScript when using the Fetch API (to include cookies). AJAX requests fail without this parameter present. For more information, refer to our documentation about CORS settings.
Just an update on this. Even using that solution, there were still issues. Buttons didn’t work etc. I ended up removing the CloudFlare tunnel as I couldn’t work out the right settings to get it working.
My last update in case anyone else is trying to do something similar. It seems that you can put the applications behind a CloudFlare tunnel without an issue, as long as the db itself is not behind one. This works out OK for me as the applications seem to be the more vulnerable for me. The application URL is the one I am sharing and I’m less comfortable about remembering to mark each section behind “Logged-in visitors”.
