CORS suddenly doesn't work?

I have a production site that uses Auth0-lock. It has been working well for months. Today however, we came in, and despite no change to anything on my end, started getting CORS rejections for every login. I have the required CORS settings set correctly (or at least they had been for months). Sadly the logs don’t include the referrer, so I can’t see if someone is somehow hijacking the request. Is anyone else experiencing this?

please help - my production site is now inaccessible because of this issue.

{
  "date": "2017-11-21T15:33:41.064Z",
  "type": "fcoa",
  "description": "Cross origin login not allowed.",
  "connection_id": "",
  "ip": "XXXXXXXXXX",
  "user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0",
  "details": {
    "body": {
      "client_id": "XXXXXXX",
      "username": "XXXXXXXXX",
      "password": "*****",
      "realm": "Username-Password-Authentication",
      "credential_type": "http://auth0.com/oauth/grant-type/password-realm"
    },
    "qs": {},
    "connection": null,
    "error": {
      "message": "Cross origin login not allowed.",
      "oauthError": "Cross origin login not allowed.",
      "type": "unauthorized_client",
      "uri": null
    }
  },
  "auth0_client": {
    "name": "lock.js",
    "version": "10.23.1",
    "lib_version": "8.10.1"
  },
  "log_id": "49574419589858254662357052970924925045025100025089228834"
}

{
  "body": {
    "client_id": "XXXXXXXXXXXX",
    "username": "XXXXXXXXXXX",
    "password": "*****",
    "realm": "Username-Password-Authentication",
    "credential_type": "http://auth0.com/oauth/grant-type/password-realm"
  },
  "qs": {},
  "connection": null,
  "error": {
    "message": "Cross origin login not allowed.",
    "oauthError": "Cross origin login not allowed.",
    "type": "unauthorized_client",
    "uri": null
  }
}

I’m still reviewing this situation and trying to obtain additional information about the cause and if this was intended or not. Based on the information I have at this time, this seem to have been an unintentional change, however, I’ll post an update as soon as I have more information.

Meanwhile, I believe what you’re experiencing has a workaround; in particular, can you call the PATCH client endpoint through the Management API with a JSON payload of { "is_first_party": true }. This will explicitly mark the client application as first-party which I’m assuming it’s the case of your application (if the owner or who controls the development of the application is the same entity that owns the Auth0 account then its a first-party application). In my tests, performing this update resolved the situation for me so if it is applicable for your scenario you may want to try it.

Thanks for the update @jmangelo, that seems to have fixed it for now, so thanks for the support - please update when you have concluded your research:)