fix(@angular/build): allow configuring Access-Control-Allow-Origin via headers option

alan-agius4 · alan-agius4 · commit 573ec2baff1c · 2026-04-09T14:38:31.000Z
Removes the default Vite CORS origin: true configuration, allowing custom Access-Control-Allow-Origin header configurations to take effect when using the development server. BREAKING CHANGE: The development server (ng serve) no longer automatically mirrors the request origin in the Access-Control-Allow-Origin response header by default. If your application relies on cross-origin requests during local development, you must now explicitly configure the required CORS headers using the headers option in your angular.json configuration. Fixes #32923
diff --git a/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts b/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts
@@ -37,6 +37,20 @@ describeServeBuilder(executeDevServer, DEV_SERVER_BUILDER_INFO, (harness, setupT
       expect(await response?.headers.get('x-custom')).toBe('foo');
     });
 
+    it('should include configured Access-Control-Allow-Origin header', async () => {
+      harness.useTarget('serve', {
+        ...BASE_OPTIONS,
+        headers: {
+          'Access-Control-Allow-Origin': 'http://example.com',
+        },
+      });
+
+      const { result, response } = await executeOnceAndFetch(harness, '/main.js');
+
+      expect(result?.success).toBeTrue();
+      expect(await response?.headers.get('access-control-allow-origin')).toBe('http://example.com');
+    });
+
     it('media resource response headers should include configured header', async () => {
       await harness.writeFiles({
         'src/styles.css': `h1 { background: url('./test.svg')}`,
diff --git a/packages/angular/build/src/builders/dev-server/vite/server.ts b/packages/angular/build/src/builders/dev-server/vite/server.ts
@@ -62,9 +62,6 @@ async function createServerConfig(
     ws: serverOptions.liveReload === false && serverOptions.hmr === false ? false : undefined,
     proxy,
     cors: {
-      // This will add the header `Access-Control-Allow-Origin: http://example.com`,
-      // where `http://example.com` is the requesting origin.
-      origin: true,
       // Allow preflight requests to be proxied.
       preflightContinue: true,
     },
