Access-Control-Allow-Origin issue on login

[cforce]

On initial request https://example.com i get below CORS issue i can't explain. The background image is loaded and login redirect did not happen. Then when i reload the page again the redirect works as expected

Access to fetch at 'https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%example.com%2F.auth%2Flogin%2Faad%2Fcallback&client_id=XXXXXXXXXXXXXXXXXXXXXXXX&scope=api%3A%2F%2FXXXXXXXXXXXXXXXXXXXXXXXX.default+openid+profile+email+offline_access&response_mode=form_post&nonce=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&state=redir%3D%252Fauth_setup' (redirected from 'https://example.com/auth_setup') from origin 'https://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled

[pamelafox]

I think @mattgotteiner has seen CORS issues in the past. Are you using user login on App Service with built-in auth? Or are you on Azure Container Apps?

[cforce]

It is fixed when I set ALLOW_ORGIN to my domain which shall not needed according to docs- is it?