Joining with Delegation File Missing Access-Control-Allow-Origin

Here we try to create an IG in the failure.privacy-sandbox-testing-one.com origin from the www subdomain. The logic for the delegation file, shown below, will not attach the Access-Control-Allow-Origin header when the request comes in for the failure origin, so even though it returns true for the permissions, the permissions arenn't granted.

Conclusion: the delegation file needs the Access-Control-Allow-Origin header.

Client Side Code

Client side code will simply try to join an IG owned by failure.

            
                window.onload = async function() {
                  const failureOrigin = 'https://failure.privacy-sandbox-testing-one.com/';
                  navigator.clearOriginJoinedAdInterestGroups(failureOrigin);
                  var r = joinUsingOrigin(failureOrigin);
                  r.then(result => {
                      console.debug('Join succeeded for:' + failureOrigin, result);
                  })
                  .catch(error => {
                      console.error('Join failed for: ' + failureOrigin, error);
                  });
                }
            
        

Well Known Delegation Logic

The delegation file returned for the failures subdomain (meaning when the browser asks failures.privacy-sandbox-testing-one.com whether the www origin and make IGs for it) will not include the cross origin header, which should trigger the CORS issue shown below (although it does seem caching gets in the way sometimes, but failurs. never had true for delegation so shouldn't be an issue).

            
              fastify.get("/.well-known/interest-group/permissions/", function(request, reply) {
                const queryParamValue = request.query.origin;
                const submittedOrigin = decodeURIComponent(queryParamValue);
                submittedOrigin.trim();
                submittedOrigin.trim('/');
                const validOrigins = [
                  'https://www.privacy-sandbox-testing-one.com',
                  'https://auctions.privacy-sandbox-testing-one.com',
                  'https://interest-groups.privacy-sandbox-testing-one.com',
                ]; // note creatives. is intentionally not in here, want it for experiment...failure. is not included to trigger a CORS failure
                var val = 'false';
                if (validOrigins.includes(submittedOrigin)) {
                  val = 'true';  
                }
                reply.type('application/json').code(200);
                
                const host = request.headers.host;
                if (host != 'failure.privacy-sandbox-testing-one.com') { // dumb trick for demo, want to trigger specific failure of x origin
                  reply.header('Access-Control-Allow-Origin', '*');
                }
                var r = '{"joinAdInterestGroup": ' + val + '}';
                //console.log(r);
                return r;
              });
            
        

Expected Result

You should see roughly the following in dev tools.