API 6.0 CORS

I seem to be at an impasse with the newest Pi-hole API. My goal is to have a local client other than the Pi-hole server execute REST calls against the Pi-hole server. I'm getting inconsistent results with the headers returned for the various calls. I've been editing the values in the webserver.headers. I’m finding that the api/auth call always returns the header "Access-Control-Allow-Headers:", regardless of the Content-Security-Policy value. The other calls never return the "Access-Control-Allow-Headers:" header. When I add that header to the webserver.headers area, the api/auth fails, with the browser returning a "Multiple Access-Control-Allow-Headers" error.

My question is: Does anyone know the right combination of Content-Security-Policy and/or custom headers to get this API to work for whatever clients I want? Security wise, this is all behind a firewall and not exposed to the greater Internet without a VPN.

The alternative is that I'll need to write a custom gateway to get to the API, which I'd rather not do. Thank you!

I'm not sure how this couldn't be a bug. I ended up writing a custom gateway in front of my two Pi-hole servers to get the GETs to return data to any browser.

Hey, do you have more details? I have a similar issue, trying to add domains to accepted hosts for CORS.

I don’t have any more details other than those in my initial post. I can say that my custom gateway does work, but I’m not sure I’m going to continue to implement the project that I was considering. Lots of infra to set up for not much gain.