[DrOctagon]

I had a similar issue once with an app hosted on Azure. Large images were triggering the WAF sometimes as a ‘chunk’ of the image would falsely match a default firewall rule.

The CORS error was because the ‘request blocked’ response was a html page without cross origin headers.

Worth checking for that

[dalmo3]

Yes, I've seen this same issue with AWS lambdas. Browser reports CORS errors but sending the same request with Postman returns HTTP500, which made me realise it was a malformed request.

[MucuMare]

Very interesting, thanks for the pointer, much appreciated. I was suspecting it has to do with uploading large images but your comment made it clear where to look at now.