fix(@angular/build): allow configuring Access-Control-Allow-Origin via headers option

alan-agius4 · web-flow · commit b85ec6798b5c · 2026-04-10T12:31:10.000+02:00
Removes the default Vite CORS origin: true configuration, allowing custom Access-Control-Allow-Origin header configurations to take effect when using the development server.
diff --git a/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts b/packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts
@@ -37,6 +37,31 @@ describeServeBuilder(executeDevServer, DEV_SERVER_BUILDER_INFO, (harness, setupT
       expect(await response?.headers.get('x-custom')).toBe('foo');
     });
 
+    it('should include configured Access-Control-Allow-Origin header', async () => {
+      harness.useTarget('serve', {
+        ...BASE_OPTIONS,
+        headers: {
+          'Access-Control-Allow-Origin': 'http://example.com',
+        },
+      });
+
+      const { result, response } = await executeOnceAndFetch(harness, '/main.js');
+
+      expect(result?.success).toBeTrue();
+      expect(await response?.headers.get('access-control-allow-origin')).toBe('http://example.com');
+    });
+
+    it('should not include Access-Control-Allow-Origin header by default', async () => {
+      harness.useTarget('serve', {
+        ...BASE_OPTIONS,
+      });
+
+      const { result, response } = await executeOnceAndFetch(harness, '/main.js');
+
+      expect(result?.success).toBeTrue();
+      expect(await response?.headers.has('access-control-allow-origin')).toBeFalse();
+    });
+
     it('media resource response headers should include configured header', async () => {
       await harness.writeFiles({
         'src/styles.css': `h1 { background: url('./test.svg')}`,
diff --git a/packages/angular/build/src/builders/dev-server/vite/server.ts b/packages/angular/build/src/builders/dev-server/vite/server.ts
@@ -62,9 +62,6 @@ async function createServerConfig(
     ws: serverOptions.liveReload === false && serverOptions.hmr === false ? false : undefined,
     proxy,
     cors: {
-      // This will add the header `Access-Control-Allow-Origin: http://example.com`,
-      // where `http://example.com` is the requesting origin.
-      origin: true,
       // Allow preflight requests to be proxied.
       preflightContinue: true,
     },
