Cloud Run service blocked from accessing another Cloud Run service in the same VPC by CORS

Question

I have two Cloud Run services:

• Service A, a nextJS frontend with Ingress Control set to All and accepting unauthenticated invocations. It's using a service account with the run.invoker permission, and is sending traffic through the project's default VPC

• Service B, a Flask backend with Ingress Control set to Internal, using the same VPC and also allowing unauthenticated invocations. It's using the project's default service account, needed to access VertexAI. I'll create a more specific service acc once I get things to work.

The problem: Service A gets blocked on preflight from accessing Service B:

blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

When I set Service B's Ingress Control to All, Service A can access it with no problem. Also, Service B does have access to Vertex via the default service account, so that's not what's causing the issue.

Here's some of the code on the Flask server:

It has basic CORS enabled:

app = Flask(__name__)
CORS(app)

Removing CORS configs makes no difference.

Looking at the logs, the frontend's requests don't even seem to reach the backend. All routes accept the OPTIONS method. Also, production is served by waitress.

There's clearly something I'm missing about the configuration, but I'm stumped. Any suggestions or just a starting point of what could be wrong would help greatly.