"Response Header Transform Rules will also apply to default Cloudflare error pages" is misleading when the error page is generated by challenge actions (403).

[butty2017]

Existing documentation URL(s)

https://developers.cloudflare.com/rules/transform/response-header-modification/

What changes are you suggesting?

Response Header Transform Rules documentation states they "will also apply to default Cloudflare error pages," but this does not hold for 403 responses generated by WAF challenge/block actions. When a cross-origin request is challenged by WAF, the 403 response lacks CORS headers (e.g., Access-Control-Allow-Origin) even when a Response Header Transform Rule is configured to set them. This makes WAF challenge responses incompatible with cross-origin fetch() calls, as JavaScript cannot detect or handle the challenge. The docs should note this exception or clarify which types of Cloudflare-generated responses the transform rules apply to.

Additional information

As a workaround, I changed WAF challenge target to the same-origin URL (actually, added it) because the cross-origin URL in problem is redirected from a same-origin URL.

(Posted this due to suggestion by your AI support.)