CORS Issue with Istio External Authorization and Authorization Policy for API Authentication

Hello.
I am using Istio External Authorization and Authorization Policy for API authentication.

BTW The error occurs when the client calls the API under certain conditions

  • localhost:3000 (react) → my-api.org (API domain)

Of course, API Sever set response header internally. (Access-Control-Allow-Origin)
And I checked the log, the request was not delivered to the API server.

I think CORS error occurs before the request is forwarded to the provider service.
Could you tell me your opinion?

Below is a sample code similar to my conditions.
mesh config

extensionProviders:
    - name: auth-http-dev
      envoyExtAuthzHttp:
        service: auth.dev.svc.cluster.local

authorization policy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: my-api-ap
  namespace: dev
spec:
  selector:
    matchLabels:
      app: my-api
  action: CUSTOM
  provider:
    name: auth-http-dev
  rules:
    - to:
      - operation:
          paths:
            - "/rest/api/v1/*"