Describe the bug

I’m attempting to integrate a micro-service API into a frontend running inside StackBlitz WebContainer, which dynamically generates URLs with the*.local-credentialless.webcontainer-api.iosuffix.

To enable cross-origin access, I’ve configured the backend (Spring Boot) with the following:
• Added https://*.local-credentialless.webcontainer-api.io to allowedOriginPatterns in the CORS configuration.
• Allowed necessary HTTP methods and headers (e.g., GET, POST, x-api-key, Content-Type, etc.).
• Set the Cross-Origin-Embedder-Policy header to credentialless.

Despite these configurations, I’m still encountering CORS errors in the browser console. The error message indicates that the Access-Control-Allow-Origin header is either missing or not matching the request origin.

I’ve also confirmed that:
• CORS is enabled via Spring Security’s SecurityFilterChain.
• Preflight (OPTIONS) requests are permitted.
• Other origins (like http://localhost:8000) work without issues.

Would appreciate help identifying what might be misconfigured or missing for support with WebContainer’s credentialless URLs.

Link to the blitz that caused the error

ourUrlIsPrivate.net

Steps to reproduce

mention is the description

Expected behavior

I should be able to call the API without CORS errors

Parity with Local

• I have run the project in my local machine and I could not reproduce the issue.

Screenshots

No response

Platform

• OS: [e.g. macOS, Windows, Linux]
• Browser: [e.g. Chrome, Safari, Firefox]
• Version: [e.g. 91.1]

Additional context

No response