#verhext

Can you share a screenshot of the error message? Just need more clarity where this is surfacing

of course

And this is breaking functionality?

I think the header was added in Chrome 113 and is now active after a 6 month "transition period".

If I deactivate the flag in chrome, the dev server works again with the preview mode.

yes it is no longer possible to reach the preview / dev server on localhost:4242

This is the chrome documentation about this rule: https://developer.chrome.com/blog/private-network-access-preflight?hl=en

Where did you get the hello world app from? Can you link the docs?

stripe apps create helloworld

Do you have the latest version of stripe cli?

And more importantly the latest version of the apps plugin?

stripe version 1.19.1
apps version 1.5.13

Can you share your code and cors settings from the manifest?

Interestingly I am not seeing this myself on that page. With the same stripe CLI and apps plugin version

Also version 120.0.6099.234 for Chrome which Chrome is telling me is up to date. Trying to think of what else could be different here.

can you see if the flag is enabled in your Chrome instance? "chrome://flags/#private-network-access-respect-preflight-results"
The name is "Respect the result of Private Network Access preflights".

Yep, that looks to be it. It was set to "Default" which I guess was disabled because when I explicitly enable it I get the CORS error

So I can file a bug report internally to address this, in the meantime I think temporarily disabling this when testing your app would be the workaround

and on my instance it is enabled by default. I think Chrome is running A/B tests to enable the feature?