Background
I have an Azure Static Web App that makes a fetch request to Azure Flask App. The Flask app is configured to allow CORs from the static web app. I've also updated the Azure Flask Apps CORs configuration via the Azure Portal to allow requests for the static web app URL as well; although admittedly, I'm not sure if this even necessary if the flask app is already configured to allow CORs. The users of the application are within the same organization.
Problem
For a few users, the fetch requests works fine, and the data is returned to the application. For other users, the request ends with what at first appears to be a CORs error, but upon further inspection, the server is not even receiving the request and a 307-redirect is occurring first.
The redirect location appears to be one of the url-not-approved pages, which makes me think this is simply a whitelisting issue. (The application itself isn't redirecting, just the fetch request, which can be seen in the network tab in the developer tools). However, what I don't understand is, that for the same users whom the app does not work for (and the 307 redirect is occuring), visiting the URL directly in the browser results in the data being returned, which makes me think there is an issue with the fetch call and I need to be passing in additional configuration to the fetch invocation; right now it is just fetch(url)
Is there anything obvious I may be missing? Or does this sound more like a whitelisting issue.
Thanks!