# INTERNAL: grpc-web: CORS preflight failed for origin http://example.com with credentials flag

- **ID:** `grpc/grpc-web-cors-credentials`
- **Domain:** grpc
- **Category:** config_error
- **Error Code:** `ECORS`
- **Verification:** ai_generated
- **Fix Rate:** 88%

## Root Cause

Browser enforces CORS preflight check fails because the server doesn't include Access-Control-Allow-Credentials header when the client sends withCredentials: true.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Envoy v1.29.0 | active | — | — |
| gRPC-Web v1.4.2 | active | — | — |
| gRPC-Web v1.5.0 | active | — | — |
| Istio v1.21.0 | active | — | — |

## Workarounds

1. **Configure the proxy (Envoy/NGINX) to return Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: http://example.com explicitly.** (90% success)
   ```
   Configure the proxy (Envoy/NGINX) to return Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: http://example.com explicitly.
   ```
2. **Remove `withCredentials: true` from the client if authentication is not required for the RPC.** (70% success)
   ```
   Remove `withCredentials: true` from the client if authentication is not required for the RPC.
   ```

## Dead Ends

- **Disabling CORS entirely in the browser** — Browsers enforce CORS; it cannot be disabled by client code. (99% fail)
- **Adding Access-Control-Allow-Origin: * only** — With credentials, the origin must be explicit, not wildcard. (90% fail)