+ Start a Discussion
raj kiranraj kiran 

CORS issue during rest api call from browser

0down votefavoriteI know this will be an known issue as most of you have faced it.i have searched and reached out to quite some tech folks but no luck in getting it resolved. question (1) Issue with CORS we have and use case where client will be making and rest api call from user browser using endpoint. we are using Oauth with user agent flow for authetincation purposes.i have tried adding cross orgin true in client side,added ip ranges for the client ip, added client domain in CORS option in sfdc and nothing worked.we have tested the endpoint from hurl. we are able to pass the authentication sucessfully first time and able to create records as well.However clients do not. when they are passing  values from browser ajax calls their initial request is not getting sucessfull they are getting CORS issue.
Sample code used by client :

                                url: "https://sampledoamin.my.salesforce.com/services/oauth2/token",
                                method: "post",
                               crossOrigin: true,
                                contentType: "application/json",
                                dataType: 'json',
                                data: {
                                                "grant_type": "refresh_token",
                                                "client_id": "sample client id",
                                                "client_secret": "sample key",
                                                "refresh_token": "sample refresh token"
                                success: function (data) {
                                error: function () {
                                                console.log("authorization failed");
we have used connected app, standard rest api.
Question (2) : Assuming the above issue gets resolved , Issue with access level Since we have shared standard rest url like    " https://domain.my.salesforce/services/data/v20.0/sobjects/custom_object_name_c " .  client need to have access for only data insertion , no access for looking into other records,modify,delete etc is required. Since this is an standard rest uri for custom object , could anyone let me know how to restrict other object access etc.
Appreciate for your valuable taughts on this.
Regards, Raj