In our account, Cross-Origin Authentication is turned on and contains all our subdomain URLs and even a wildcard, but loading Lock v12.5, triggers these errors.
Any idea how to get rid of these? This happens before any authentication attempt.
There could be multiple reasons as of why the request has been blocked due to CORS reasons, but this issue should be handled from the server side when making the request. From my understanding in this case the requests are blocked by the user’s browser as the browser sees the Auth0 domain as the rendered page and detects there is a cross-origin call to your password reset API.
You need to make sure the server sends the correct “Access-Control-Allow-Origin” header information in the response, such that the browser understands that it is valid to make a request from the hosted page domain to your API server.
So your API server that handles the password reset needs to send the following header in the response: