GitLab Pages Static Assets Redirecting to OAuth Endpoint, Causing CORS Failures

Summary

I noticed my previously working GitLab page is now failing to load due to some new redirect when it tries to get the css and other static files. It seems to be redirecting to an OAuth url. Did something recently change? Here is the console output so you can see what I am seeing.

ounstatus/:1 Access to script at 'https://vlab.noaa.gov/gitlab-community/oauth/authorize?client_id=rjC_SNUwmLIqxR9CYkXrWz9LKL3Q1RGiXIiZl0cyjjI&redirect_uri=https://pages-gitlab-community-vlab.noaa.gov/projects/auth&response_type=code&state=SrVO5H4b6ak34CbxeG0xMQ==&scope=read_api&root_namespace_id=34' (redirected from 'https://pages-gitlab-community-vlab.noaa.gov/NWS/Field/SR/oun/ounstatus/assets/index-4Qxwxl_r.js') from origin 'https://pages-gitlab-community-vlab.noaa.gov' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
ounstatus/:8  GET https://vlab.noaa.gov/gitlab-community/oauth/authorize?client_id=rjC_SNUwmLIqxR9CYkXrWz9LKL3Q1RGiXIiZl0cyjjI&redirect_uri=https://pages-gitlab-community-vlab.noaa.gov/projects/auth&response_type=code&state=SrVO5H4b6ak34CbxeG0xMQ==&scope=read_api&root_namespace_id=34 net::ERR_FAILED 302 (Found)
ounstatus/:1 Access to CSS stylesheet at 'https://vlab.noaa.gov/gitlab-community/oauth/authorize?client_id=rjC_SNUwmLIqxR9CYkXrWz9LKL3Q1RGiXIiZl0cyjjI&redirect_uri=https://pages-gitlab-community-vlab.noaa.gov/projects/auth&response_type=code&state=bxjUjU6SDUh9odz89LH39A==&scope=read_api&root_namespace_id=34' (redirected from 'https://pages-gitlab-community-vlab.noaa.gov/NWS/Field/SR/oun/ounstatus/assets/index-COcDBgFa.css') from origin 'https://pages-gitlab-community-vlab.noaa.gov' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
ounstatus/:9  GET https://vlab.noaa.gov/gitlab-community/oauth/authorize?client_id=rjC_SNUwmLIqxR9CYkXrWz9LKL3Q1RGiXIiZl0cyjjI&redirect_uri=https://pages-gitlab-community-vlab.noaa.gov/projects/auth&response_type=code&state=bxjUjU6SDUh9odz89LH39A==&scope=read_api&root_namespace_id=34 net::ERR_FAILED 302 (Found)

ounstatus/:1 Access to script at 'https://vlab.noaa.gov/gitlab-community/oauth/authorize?client_id=rjC_SNUwmLIqxR9CYkXrWz9LKL3Q1RGiXIiZl0cyjjI&redirect_uri=https://pages-gitlab-community-vlab.noaa.gov/projects/auth&response_type=code&state=SrVO5H4b6ak34CbxeG0xMQ==&scope=read_api&root_namespace_id=34' (redirected from 'https://pages-gitlab-community-vlab.noaa.gov/NWS/Field/SR/oun/ounstatus/assets/index-4Qxwxl_r.js') from origin 'https://pages-gitlab-community-vlab.noaa.gov' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
ounstatus/:8  GET https://vlab.noaa.gov/gitlab-community/oauth/authorize?client_id=rjC_SNUwmLIqxR9CYkXrWz9LKL3Q1RGiXIiZl0cyjjI&redirect_uri=https://pages-gitlab-community-vlab.noaa.gov/projects/auth&response_type=code&state=SrVO5H4b6ak34CbxeG0xMQ==&scope=read_api&root_namespace_id=34 net::ERR_FAILED 302 (Found)
ounstatus/:1 Access to CSS stylesheet at 'https://vlab.noaa.gov/gitlab-community/oauth/authorize?client_id=rjC_SNUwmLIqxR9CYkXrWz9LKL3Q1RGiXIiZl0cyjjI&redirect_uri=https://pages-gitlab-community-vlab.noaa.gov/projects/auth&response_type=code&state=bxjUjU6SDUh9odz89LH39A==&scope=read_api&root_namespace_id=34' (redirected from 'https://pages-gitlab-community-vlab.noaa.gov/NWS/Field/SR/oun/ounstatus/assets/index-COcDBgFa.css') from origin 'https://pages-gitlab-community-vlab.noaa.gov' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
ounstatus/:9  GET https://vlab.noaa.gov/gitlab-community/oauth/authorize?client_id=rjC_SNUwmLIqxR9CYkXrWz9LKL3Q1RGiXIiZl0cyjjI&redirect_uri=https://pages-gitlab-community-vlab.noaa.gov/projects/auth&response_type=code&state=bxjUjU6SDUh9odz89LH39A==&scope=read_api&root_namespace_id=34 net::ERR_FAILED 302 (Found)

Steps to reproduce

  1. Open the GitLab Pages site (example: https://pages-gitlab-community-vlab.noaa.gov/NWS/Field/SR/oun/ounstatus/).
  2. Observe requests for static assets (CSS/JS) under /assets/....
  3. See that these requests are redirected to an OAuth URL under https://vlab.noaa.gov/gitlab-community/oauth/authorize.
  4. Browser console shows CORS errors and blocked asset loading.

Example Project

If needed, I can provide an example GitLab Pages project reproducing the issue. The problem is occurring on an existing Pages site previously functioning without changes.

What is the current bug behavior?

Static assets on a GitLab Pages site are being redirected to an OAuth authorization endpoint:

https://vlab.noaa.gov/gitlab-community/oauth/authorize?client_id=...

This produces a CORS error:

Access to script at 'https://vlab.noaa.gov/gitlab-community/oauth/authorize?...'
(redirected from 'https://pages-gitlab-community-vlab.noaa.gov/.../assets/index-....js')
has been blocked by CORS policy: 
No 'Access-Control-Allow-Origin' header is present on the requested resource.

As a result:

  • CSS and JS files fail to load
  • The entire GitLab Pages site is broken

This behavior started recently without any changes to the project.

What is the expected correct behavior?

  • GitLab Pages should serve static files directly from the Pages host without any OAuth redirection.
  • No authentication should be required to fetch public Pages assets.
  • Assets should load as before (200 OK, no redirects).

Relevant logs and/or screenshots

Access to script at 'https://vlab.noaa.gov/gitlab-community/oauth/authorize?client_id=rjC_SNUwmLIqxR9CYkXrWz9LKL3Q1RGiXIiZl0cyjjI&redirect_uri=https://pages-gitlab-community-vlab.noaa.gov/projects/auth&response_type=code&state=SrVO5H4b6ak34CbxeG0xMQ==&scope=read_api&root_namespace_id=34'
(redirected from 'https://pages-gitlab-community-vlab.noaa.gov/NWS/Field/SR/oun/ounstatus/assets/index-4Qxwxl_r.js')
from origin 'https://pages-gitlab-community-vlab.noaa.gov' 
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present.
GET https://vlab.noaa.gov/gitlab-community/oauth/authorize?... net::ERR_FAILED 302 (Found)

Output of checks

This bug happens on GitLab.com-hosted GitLab Pages infrastructure (pages-gitlab-community-vlab.noaa.gov).

Deployment: GET Version: 18.4.4

Edited by Abdullah Amer