When a custom domain is added, Cross-Origin Resource Sharing (CORS) errors occur on the /oauth/token endpoint. The following error message appears:

Access to fetch at '.../oauth/token' from origin '...' has been blocked by CORS policy: Request header field baggage is not allowed by Access-Control-Allow-Headers in '...' preflight response.

• Sentry

• Custom Domain

Sentry adds the sentry-trace and baggage headers to XMLHttpRequest (XHR) requests to /oauth/token. These headers are not allowed per the Access-Control-Allow-Headers response header on /oauth/token.

1. Update the tracePropagationTargets regex expression to exclude https://<DOMAIN>/oauth/token.

2. Verify that Sentry no longer adds the sentry-trace and baggage headers to XHR requests to /oauth/token.

   • Refer to the Sentry Documentation for more information.