CORS error, only in HTTP/2

Question

I have a .NET app hosted in an Azure App Service that acts as a web service for another app. It has hundreds of endpoints that all work fine. It has been running HTTP 1.1 forever. I am trying to switch to HTTP 2.0. When HTTP 2.0 is enabled, one endpoint (so far it seems to be the only one affected) fails with a CORS error on the client.

Here it is when it is running HTTP 1.1:

And now when running HTTP 2.0:

I am not aware of any direct relationship between CORS requests and HTTP/2 and yet, HTTP/2 clearly makes this one request fail - but I cannot figure out why.

Any idea, anything I can check to figure it out? If it helps at all, the page is publicly accessible here (it will display an error but that is a consequence of the CORS error).

UPDATE

If, in Firefox Network Debug Tool, I select the request that failed and choose to "edit and re-send", and I re-send it "as is" (not changing anything), then the request succeeds... Also the exact same request also succeeds when sent manually in Postman... But it won't work in a browser (tried Firefox, Chrome and Edge).

Answer 1

I finally figured it out. I noticed when replaying the request directly from within the browser dev tools that it stripped the Authorization header because it was empty.

The cause of this error was indeed that the request had an empty Authorization header.

Apparently this is fine with HTTP 1.1, but not HTTP 2.0. God knows why browsers report this as a cross-domain error.