Disabling "Full scope allowed" for a client results in CORS errors on the client side


After succesfully setting up keycloak for my angular app, I’m now trying to tweak the configuration to keep it as tight as possible.

One of the (seemingly obvious) choices is to disable ‘Full scope allowed’. However this leads to CORS errors on the client.
Even if I add all available scopes instead of just setting “Full scope allowed” I get the errors.
I would expect that if I manually select all scopes that are shown, this would be the same as just setting the flag to true. Seems not to be the case.

I suspect the web-origins scope is causing the error, but I cannot add that scope manuall in this screen…

Any suggestions?