Cors Error: Bitwarden Safari Extension

Traefik Traefik v2
#1

Hello everyone,

I have recently setup Traefik with Bitwarden_RS. Everything is working fine (Mac OS app and the web vault) but I am unable to login via the Safari Web Extension.

Upon trying to login, I receive the below error related to CORS.

Screenshot 2021-01-19 at 15.07.09

I assume this is related to secure headers but cannot seem to work it out. I am wondering if anyone knows what the issue could be? I assume I have to add additional config to my Middlewares config file?

I have attached below some snippets from logs which appear after I try to login.

Traefik Logs:

level=debug msg="Trusted connection" entryPointName=https
level=debug msg="Use header remote addr" entryPointName=https
level=debug msg="Header parsed <nil>" entryPointName=https

Traefik Access Log:

”OPTIONS /api/accounts/prelogin HTTP/2.0" 0 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_16) AppleWebKit/605.1.15 (KHTML, like Gecko)" 2 "bitwarden-ui@docker" "-" 0ms

Middlewares config:

http:
  middlewares:
    middlewares-rate-limit:
      rateLimit:
        average: 100
        burst: 50

    middlewares-secure-headers:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
          - "Cf-Connecting-Ip"
        sslRedirect: true
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        # frameDeny: true #overwritten by customFrameOptionsValue
        # customFrameOptionsValue: "allow-from https:[redracted].com" #CSP takes care of this but may be needed for organizr.
        contentTypeNosniff: true
        browserXssFilter: true
        # sslForceHost: true # add sslHost to all of the services
        # sslHost: "example.com"
        referrerPolicy: "same-origin"
        # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
        # the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
        # contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
          server: ""