SEC7123: Request header content-type was not present in the Access-Control-Allow-Headers list.
and this error on Firefox:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.hsforms.com/submissions/v3/integration/submit/[id]/[guid]. (Reason: missing token 'content-type' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel).
This request works just fine in Chrome and Edge.
OPTIONS response headers has access-control-allow-headers: * set, but apparently access-control-allow-headers does not accept wildcards by the spec. The accepted headers should probably listed separately in Hubspot Forms API instead of using a wildcard.
There hasn't been a fix for this rolled out yet, but I touched base with the team and they anticipate a fix to be ready for tomorrow. I'll keep this thread updated with new info as I get it.
Thanks for bringing this to our attention. I've touched base with the team on this, and I'll update this thread when I have new information going forward.