Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I think there's something wrong with CORS in the cloud. When I switch to my own UI login address redirects start to fail

What do you mean by redirects start to fail? Could you provide me with more information than that? CORS also has nothing to do with browser redirects, CORS is for calling your cloud project through an AJAX request from a different origin.

OK, I think I have a better understanding of the problem now. When I change the login address MY website rejects the request because of CORS. Origin header is set to `null` as described here <https://stackoverflow.com/questions/22397072/are-there-any-browsers-that-set-the-origin-header-to-null-for-privacy-sensitiv>  I'm not sure if this is a problem.

I set `Access-Control-Allow-Origin` to `null` and it all works but it does seem shady, doesn't it?

You shouldn't set the CORS headers yourself. You can add more "allowed" origins to the CORS CNAME setup on Ory Cloud. There the CORS headers will be set for your application. When you make a `fetch` or `ajax` request you only need to allow CORS

```fetch(url, {mode: 'cors'})```