[GH-ISSUE #915] [bug] 连接阿里百炼 codingPlan DashScope 时出现 CORS 错误（Tauri 前端直接请求）/ [Bug] CORS Error when connecting to Aliyun DashScope (Tauri Frontend Direct Fetch) #675

New issue

Open

opened 2026-03-02 03:41:12 +03:00 by kerem · 0 comments

kerem commented

2026-03-02 03:41:12 +03:00

Owner

Originally created by @kmwhang on GitHub (Feb 28, 2026).
Original GitHub issue: https://github.com/codexu/note-gen/issues/915

详细描述这个 Bug

👋 您好开发者团队 / Hello Development Team,

首先感谢开发 Notegen 这款优秀的工具！我在尝试配置阿里云百炼（Aliyun DashScope）的 Coding Plan 时遇到了连接问题，希望能得到您的帮助或建议。
First of all, thank you for developing Notegen! I encountered a connection issue while trying to configure Aliyun DashScope (Coding Plan), and I hope to get your help or suggestions.

📋 问题描述 / Problem Description

我在 Notegen 的 LLM 配置中填入阿里百炼的 API 信息和地址后，请求一直失败。控制台报错显示为 CORS Policy Blocked。
After filling in the Aliyun DashScope API information and URL in Notegen's LLM configuration, the request keeps failing. The console error shows CORS Policy Blocked.

🛠️ 环境信息 / Environment Info

Notegen 版本 / Version: [请填写版本号 / Please fill in version, e.g., v1.0.0]
操作系统 / OS: [请填写系统 / Please fill in OS, e.g., Windows 11 / macOS]
API 提供商 / Provider: 阿里百炼 DashScope (Aliyun Bailian)
请求地址 / Request URL: https://coding.dashscope.aliyuncs.com/v1/chat/completions
📝 错误日志 / Error Logs

控制台反复出现以下 CORS 拦截错误，表明前端（Tauri）直接请求阿里云接口被浏览器安全策略阻挡：
The console repeatedly shows the following CORS interception errors, indicating that frontend (Tauri) direct requests to Aliyun interfaces are blocked by browser security policies:

Access to fetch at 'https://coding.dashscope.aliyuncs.com/v1/chat/completions' from origin 'http://tauri.localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. 🔍 问题分析 / Analysis

架构限制 / Architecture Limit: Notegen 基于 Tauri 构建，前端运行在 http://tauri.localhost 环境下。 Notegen is built on Tauri, with the frontend running in the http://tauri.localhost environment.
云服务策略 / Cloud Policy: 阿里云 DashScope API 默认不允许浏览器端直接跨域调用（为了保护 API Key 安全），必须通过服务器端中转。 Aliyun DashScope API does not allow direct cross-origin calls from the browser by default (to protect API Key security); it must be relayed through a server-side.
当前行为 / Current Behavior: 应用似乎是在前端 JS 层面直接发起 fetch 请求，导致被 CORS 策略拦截。 Current Behavior: The app seems to initiate fetch requests directly at the frontend JS level, causing interception by CORS policies.
💡 建议解决方案 / Suggested Solutions

为了更好地支持阿里云及类似不支持 CORS 的私有化部署模型，建议考虑以下改进：
To better support Aliyun and similar private deployment models that do not support CORS, please consider the following improvements:

方案 A（推荐）/ Solution A (Recommended):
在 Tauri 后端（Rust）实现请求转发。让前端调用 Rust 命令，由 Rust 发起 HTTP 请求。这样不受浏览器 CORS 限制，且能保护 API Key。
Implement request forwarding in the Tauri backend (Rust). Let the frontend call Rust commands, and have Rust initiate HTTP requests. This avoids browser CORS restrictions and protects the API Key.

方案 B（临时变通）/ Solution B (Workaround):
在配置文档中说明，如果使用阿里云，建议用户搭配本地代理middleware使用，或默认使用阿里云的 OpenAI 兼容模式地址：https://dashscope.aliyuncs.com/compatible-mode/v1。
State in the documentation that if using Aliyun, users are advised to use a local proxy middleware, or default to Aliyun's OpenAI compatible mode URL: https://dashscope.aliyuncs.com/compatible-mode/v1.

🙏 致谢 / Thanks

期待 Notegen 越来越好！如果需要更多日志或测试配合，请随时联系我。
Looking forward to Notegen getting better! If you need more logs or testing cooperation, please feel free to contact me.

NoteGen 版本

v0.26.0

操作系统

Windows

报错日志

Access to fetch at 'https://coding.dashscope.aliyuncs.com/v1/chat/completions'
from origin 'http://tauri.localhost' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.

Originally created by @kmwhang on GitHub (Feb 28, 2026). Original GitHub issue: https://github.com/codexu/note-gen/issues/915 ### 详细描述这个 Bug 👋 您好开发者团队 / Hello Development Team, 首先感谢开发 Notegen 这款优秀的工具！我在尝试配置阿里云百炼（Aliyun DashScope）的 Coding Plan 时遇到了连接问题，希望能得到您的帮助或建议。 First of all, thank you for developing Notegen! I encountered a connection issue while trying to configure Aliyun DashScope (Coding Plan), and I hope to get your help or suggestions. 📋 问题描述 / Problem Description 我在 Notegen 的 LLM 配置中填入阿里百炼的 API 信息和地址后，请求一直失败。控制台报错显示为 CORS Policy Blocked。 After filling in the Aliyun DashScope API information and URL in Notegen's LLM configuration, the request keeps failing. The console error shows CORS Policy Blocked. 🛠️ 环境信息 / Environment Info Notegen 版本 / Version: [请填写版本号 / Please fill in version, e.g., v1.0.0] 操作系统 / OS: [请填写系统 / Please fill in OS, e.g., Windows 11 / macOS] API 提供商 / Provider: 阿里百炼 DashScope (Aliyun Bailian) 请求地址 / Request URL: https://coding.dashscope.aliyuncs.com/v1/chat/completions 📝 错误日志 / Error Logs 控制台反复出现以下 CORS 拦截错误，表明前端（Tauri）直接请求阿里云接口被浏览器安全策略阻挡： The console repeatedly shows the following CORS interception errors, indicating that frontend (Tauri) direct requests to Aliyun interfaces are blocked by browser security policies: <TEXT> Access to fetch at 'https://coding.dashscope.aliyuncs.com/v1/chat/completions' from origin 'http://tauri.localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. 🔍 问题分析 / Analysis 架构限制 / Architecture Limit: Notegen 基于 Tauri 构建，前端运行在 http://tauri.localhost 环境下。 Notegen is built on Tauri, with the frontend running in the http://tauri.localhost environment. 云服务策略 / Cloud Policy: 阿里云 DashScope API 默认不允许浏览器端直接跨域调用（为了保护 API Key 安全），必须通过服务器端中转。 Aliyun DashScope API does not allow direct cross-origin calls from the browser by default (to protect API Key security); it must be relayed through a server-side. 当前行为 / Current Behavior: 应用似乎是在前端 JS 层面直接发起 fetch 请求，导致被 CORS 策略拦截。 Current Behavior: The app seems to initiate fetch requests directly at the frontend JS level, causing interception by CORS policies. 💡 建议解决方案 / Suggested Solutions 为了更好地支持阿里云及类似不支持 CORS 的私有化部署模型，建议考虑以下改进： To better support Aliyun and similar private deployment models that do not support CORS, please consider the following improvements: 方案 A（推荐）/ Solution A (Recommended): 在 Tauri 后端（Rust）实现请求转发。让前端调用 Rust 命令，由 Rust 发起 HTTP 请求。这样不受浏览器 CORS 限制，且能保护 API Key。 Implement request forwarding in the Tauri backend (Rust). Let the frontend call Rust commands, and have Rust initiate HTTP requests. This avoids browser CORS restrictions and protects the API Key. 方案 B（临时变通）/ Solution B (Workaround): 在配置文档中说明，如果使用阿里云，建议用户搭配本地代理middleware使用，或默认使用阿里云的 OpenAI 兼容模式地址：https://dashscope.aliyuncs.com/compatible-mode/v1。 State in the documentation that if using Aliyun, users are advised to use a local proxy middleware, or default to Aliyun's OpenAI compatible mode URL: https://dashscope.aliyuncs.com/compatible-mode/v1. 🙏 致谢 / Thanks 期待 Notegen 越来越好！如果需要更多日志或测试配合，请随时联系我。 Looking forward to Notegen getting better! If you need more logs or testing cooperation, please feel free to contact me. ### NoteGen 版本 v0.26.0 ### 操作系统 Windows ### 报错日志 Access to fetch at 'https://coding.dashscope.aliyuncs.com/v1/chat/completions' from origin 'http://tauri.localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.