Once the missing CORS headers are fixed with OpenID Discovery document does not have CORS headers (#209259) · Issues · GitLab.org / GitLab · GitLab , the Cloudflare browser detection script should not trigger when retrieving URLs like gitlab.com/.well-known/openid-configuration using a XML-HTTP-request (which happens when when using OAuth from a SPA, e.g. https://manfredsteyer.github.io/angular-oauth2-oidc ).
Should I create an issue?