network CORS not working for custom domain

Preflight checklist

[x] I could not find a solution in the existing issues, docs, nor discussions.
[x] I agree to follow this project's Code of Conduct.
[x] I have read and am following this repository's Contribution Guidelines.
[x] I have joined the Ory Community Slack.
[x] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

distracted-buck-lwl68daajh

Describe the bug

I enter https://my-dev.tradium.com as allowed cross origin for my custom domain. I get the following console errors when trying to use it: Firefox: Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf https://dev-auth.tradium.com/.well-known/openid-configuration?client_id=77e0932c-6c2d-4961-9c10-878003a02aad. (Grund: CORS-Kopfzeile 'Access-Control-Allow-Origin' stimmt nicht mit 'https://my-dev.tradium.com,https://my-dev.tradium.com' überein).

Chrome: Access to XMLHttpRequest at 'https://dev-auth.tradium.com/.well-known/openid-configuration?client_id=77e0932c-6c2d-4961-9c10-878003a02aad' from origin 'https://my-dev.tradium.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'https://my-dev.tradium.com,https://my-dev.tradium.com', but only one is allowed.

Reproducing the bug

See Description

Relevant log output

Firefox: 
Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf https://dev-auth.tradium.com/.well-known/openid-configuration?client_id=77e0932c-6c2d-4961-9c10-878003a02aad. (Grund: CORS-Kopfzeile 'Access-Control-Allow-Origin' stimmt nicht mit '[https://my-dev.tradium.com,https://my-dev.tradium.com](https://my-dev.tradium.com,https//my-dev.tradium.com)' überein).

Chrome:
Access to XMLHttpRequest at 'https://dev-auth.tradium.com/.well-known/openid-configuration?client_id=77e0932c-6c2d-4961-9c10-878003a02aad' from origin 'https://my-dev.tradium.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'https://my-dev.tradium.com,https://my-dev.tradium.com', but only one is allowed.

Relevant configuration

Version

Cloud

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker

Additional Context

No response

May 23 '25 10:05 bkr-bc

Hello Bernhard,

Is it possible that you have added both the custom domain CORS configuration (https://www.ory.sh/docs/guides/custom-domains#cors) as well as the project wide CORS settings (https://www.ory.sh/docs/guides/cors)? You typically only need the custom domains setting for most use cases.

May 23 '25 21:05 jhickmanit

Hi, that might acutally be the case I will check that.

May 27 '25 08:05 bkr-bc