i have the same problem. it was ok last week

This issue occurs from the 21th August for our iOS mobile users only : our Mobile app uses an embeded webview. 

IOS WkWebview cors origin : "ionic://localhost"  fails (didn't fail before 21/8)

Android / Browser CORS origin : http://localhost:XX still works

It sounds like CORS response header depends on the CORS origin header (new regex rule ?).. 

Hi,

We encounter the same issue on our mobile app with an embedded webview (ionic) but only for iOS users. It suddenly appeared on 8/21

The issue seems to depend on the CORS origin scheme / protocol. For Android webviews or browsers, when origin = “http://localhost:XXXX”, the issue does not occur.

But on iOS WKWebview (with origin = ionic://localhost), the issue occurs after 8/21 (no more CORS response header “Access-Control-Allow-Origin” returned)

We just resolved the issue by implementing a new endpoint on our backend server so our mobile app embedded webview does not require to call directly the activity/stream API. This stuff is now delegated to the backend endpoint which can return CORS header as expected.

Sounds like Strava servers (for activity/stream API) now rely on some kind of regex rule to allow CORS header according to request origin ...

Hi,

Yep, I also had to help myself by implementing API method on my backend - proxying the call to /streams API.

But now it seems strava guys resolved this issue - you can probably switch to direct Strava API call from browser.

Access-Control-Allow-Origin response header rose back again :)