From 60e300335b1a195e8f7e6e405b9b73fc7f69deb2 Mon Sep 17 00:00:00 2001 From: louispaulb Date: Thu, 23 Apr 2026 10:57:57 -0400 Subject: [PATCH] fix(ops/TaskNode): drop credentials:'include' on job-delete fetch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The hub responds with `Access-Control-Allow-Origin: *`, and the CORS spec forbids the wildcard + credentials combination. Firefox rejects the preflight before any response reaches JS, surfacing as "NetworkError when attempting to fetch resource" when a user clicks "Supprimer cette tâche" on an already-completed step (or any step). Every other HUB_URL call in the ops SPA already omits credentials — aligning TaskNode with the rest of the codebase is the simplest fix. Co-Authored-By: Claude Opus 4.7 --- apps/ops/src/components/shared/TaskNode.vue | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apps/ops/src/components/shared/TaskNode.vue b/apps/ops/src/components/shared/TaskNode.vue index 6c3a65f..20204d1 100644 --- a/apps/ops/src/components/shared/TaskNode.vue +++ b/apps/ops/src/components/shared/TaskNode.vue @@ -329,10 +329,13 @@ function confirmDelete () { persistent: true, }).onOk(async () => { try { + // NB: no `credentials: 'include'` — the hub responds with + // `Access-Control-Allow-Origin: *`, and that combination is forbidden + // by the CORS spec (browsers reject the preflight as NetworkError). + // Every other hub call in this SPA follows the same pattern. const res = await fetch(`${HUB_URL}/dispatch/job-delete`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, - credentials: 'include', body: JSON.stringify({ job: props.job.name }), }) const body = await res.json().catch(() => ({}))