The dev CORS allow_origin_regex in app/main.py covers localhost and the three RFC 1918 private ranges (10/8, 192.168/16, 172.16-31/12) but not the Tailscale CGNAT range (100.64.0.0/10). When the dev backend is reached over a Tailscale tailnet, the browser origin is rejected by CORS.
Change
Add the Tailscale CGNAT range to the dev-only allow_origin_regex so a tailnet-reachable dev host works the same as a LAN one. Dev-only — production still uses an explicit empty allow-list with no regex.
r"100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.\d+\.\d+"
Scope
app/main.py CORS regex only. No production behaviour change.
Surfaced as an uncommitted working-tree edit during MLZOO-C planning; split out as its own fix per repo convention.
The dev CORS
allow_origin_regexinapp/main.pycovers localhost and the three RFC 1918 private ranges (10/8, 192.168/16, 172.16-31/12) but not the Tailscale CGNAT range (100.64.0.0/10). When the dev backend is reached over a Tailscale tailnet, the browser origin is rejected by CORS.Change
Add the Tailscale CGNAT range to the dev-only
allow_origin_regexso a tailnet-reachable dev host works the same as a LAN one. Dev-only — production still uses an explicit empty allow-list with no regex.Scope
app/main.pyCORS regex only. No production behaviour change.Surfaced as an uncommitted working-tree edit during MLZOO-C planning; split out as its own fix per repo convention.