This might be due to connecting on an HTTP (rather than HTTPS) URL - could you try using something like NGROK or LocalCan to set up a secure tunnel to your local dev machine, and try from there?

I’m using the sample plugin with Vite at http://localhost:5173 with no CORS issues. It’s working in Edge. Front loads sidebar plugins in an iframe locally, so you don’t need to worry about exposing it or anything, as long as your local browser can reach it. Do you get anything if you visit that URL directly, outside the sidebar? It could be a more restrictive browser or browser policy from your organization, and certainly if you have some kind of proxy between you and Front that could be an issue, but this seems really weird. The only times I’ve had issues with CORS in developing sidebar plugins has been in making calls from the React app to our own backend API (easily solved by editing the API’s CORS policies) and other sites.