We're getting an "Access-Control-Allow-Origin" error when we try to include JS libraries in a lightning flow component.

We've CORS whitelisted the following:

• https://*.force.com
• https://*.salesforce.com
• https://linvioevents-dev-ed.my.salesforce.com

And referenced the static resources containing the js code via $Resource in a ltng:require component:
 

<ltng:require styles=""  scripts="{!join(',','/resource/evt__JQuery/jquery-3.2.1.min.js',$Resource.EventManagement + '/moment/moment.js',$Resource.TimezonePicker+'/timezone-picker.js')}"  afterScriptsLoaded="{!c.afterJSLoaded}" />

But the platform still thinks we have a CORS problem:
 

Failed to load https://linvioevents-dev-ed.my.salesforce.com/visualforce/session?url=https%3A%2F%2Flinvioevents-dev-ed--evt.na7.visual.force.com%2Fresource%2Fevt__JQuery%2Fjquery-3.2.1.min.js: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

Has anyone else run into this?  Is there a fix/work-around?

Thanks

We are now getting the following error when running one of our AppExchange apps on the Summer '17 sandbox preview.  All we've done is create a Visualforce page that references a component in our managed package app but none of the resources are loading.  Even adding a CORS entry does not resolve the problem.  All critical updates have been activated for the org and nothing has changed in our code.  Reverting to API version 39 for the VFpage does not resolve the issue, either.  Is there a bug with the Summer '17 release?

ERROR: Access to Font at 'https://rmhdsm--dev2.cs41.my.salesforce.com/visualforce/{snip}journal.ttf' from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

I am facing cross domain error on ajax request in javascript

Ajax Request
 $.ajax({
                    url:"../oppitm/lineitemsort.jsp?id={!oppID}",
                    contentType:"text/html",
                    xhrFields:{withCredentials:true}
                    }).done (
                    function(data){console.log(data)});
Error
XMLHttpRequest cannot load https://ap1.salesforce.com/oppitm/lineitemsort.jsp?id=00690000007jIM1. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://nsp-demo.ap1.visual.force.com' is therefore not allowed access.

I have enabled below origin urls in CORS

• https://*.salesforce.com
• https://ap1.salesforce.com
• https://nsp-demo.ap1.visual.force.com

Please suggest or any workarounds how this can be resolved

We are facing cross domain issues while accesing SalesForce APIs using AngularJS.

When we try to access the token API, we are getting "200 OK" as status, but we will not be able to read the response because "access-control-allow-origin" header is not present in the SF server response. This issue is happening only while fetching the access token api.

Only If a browser that supports CORS makes a request to an origin in the Salesforce CORS whitelist, Salesforce returns the origin in the "Access-Control-Allow-Origin" HTTP header, along with any additional CORS HTTP headers. If the origin is not included in the whitelist, Salesforce returns HTTP status code 403.

We found an alternative to this by accessing the api by calling a PHP file from AngularJS and fetching the api data using cURL.

Is this a good approach or is there any other alternative with direct method?

Hi,

I try to integrate a Spring-Boot REST API project with Salesforce REST API.
My webapp API is running, and use OAuth with Spring-security to manage authentication with Salesforce OAuth2.
Everything is OK if i'am using the API from a browser. I open my Rest API URL, and i can see the call, somes redirect to be authenticated by Salesforce, and finally the result (and i'am logged).
(BTW the final token/json by Salesforce is not cool. The id is a URL, and there is not user_id in the JSON)

But ! my current issue :)

I create a page in my Saleforce with just a button and a jquery/ajax call to my webapp API. During this call my security framework will call Salesforce to authenticate my user. My target is this workflow:

Customer is logged in  my Salesforce -> Use Page which needs some informations from my Business API (not in Salesforce) -> The page run some Jquery/Ajax -> Call the remote API -> The API call Salesforce to authenticate by Oauth2 the current User and be sure he has rights -> Salesforce response callback with token -> Spring-security authenticate the user and redirect to the first URL

I setup some Security in Salesforce. Setup some headers in my API, like Access-Control-Allow-Origin "https://cs15.salesforce.com".
Add a good certifates to be in https (Protocol TLS 1.2 / Key Exchange ECDHE_RSA / Cipher Suite AES_128_GCM).

But i still have this issue Origin 'null' is therefore not allowed:
Chrome console:

XMLHttpRequest cannot load https://cs15.salesforce.com/services/oauth2/authorize?client_id=3MVG9dPGzpc... Redirect from 'https://cs15.salesforce.com/services/oauth2/authorize?client_id=3MVG9dPGzpc...' to 'https://test.salesforce.com/setup/secur/RemoteAccessAuthorizationPage.apexp…FzD9ItsFG5OpKmwmLlfm4hXTFfPOb0gyn8wO5zm04o...' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

Details:

1) Call my API from Salesforce by Ajax : Redirect 302 to my security login
2) My security login ask for a token and Redirect 302 to https://cs15.salesforce.com
Request
Request URL:https://HIDE/salesforce/b2b/login
Request Method:GET
Status Code:302
Remote Address:HIDE:443

Response
Access-Control-Allow-Origin:https://cs15.salesforce.com
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Connection:Keep-Alive
Content-Length:0
Date:Thu, 24 Nov 2016 10:43:13 GMT
Expires:0
Keep-Alive:timeout=5, max=99
Location:https://cs15.salesforce.com/services/oauth2/authorize?client_id=3MVG9dPGzpc3kWydcitmO_I5XRa8IXTCnEGMfuYLqOUuSscVupHJc8HarX1d845LVyc4iK.QEg6pPEnCZ22IU&redirect_uri=MYURL&response_type=code&state=LF3p4x
Pragma:no-cache
Server:Apache/2.4.10 (Debian)
Set-Cookie:JSESSIONID=3B4CA5B5F6C42F348E8A61898F337D3C;path=/;HttpOnly
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block

3) https://cs15.salesforce.com Redirect 302 to https://test.salesforce.com

Request
Accept application/json, text/javascript, */*; q=0.01
Accept-Encoding gzip, deflate, br
Accept-Language fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Host cs15.salesforce.com
Origin null
Referer https://cs15.salesforce.com/apex/testApi
User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0

Response
Cache-Control no-cache, no-store
Content-Length 0
Date Thu, 24 Nov 2016 10:52:19 GMT
Expires Thu, 01 Jan 1970 00:00:00 GMT
Location https://test.salesforce.com/setup/secur/RemoteAccessAuthorizationPage.apexp?source=CAAAAViWZNJKME8wZ
TAwMDAwMDAwMDA0AAAAzOaTCIh6kJYyjZj-e02lxwTTdQXXTUcJzlJ4DzXgdegh0m6sHlq04HfEocp_pFosaq20irC6TTb0L7X_w
sAbV1Un9i6WtsM9HM6yKCS0qWItemCmqQmZPSoSpIo7xemytzeWh-V2-YJBDiKxrm-abjX4m5jqYoxzNZaKIUM7Qm_J47PpnR2xt
q5zuWm_dqz33T415yoDBX4469TCUmBBXowwftFf6CqfjMzhg4810tF-GykYjdeDOuL4ftlW8cu3MOfFLA4tOG8mrDhENy_CXY101
Cl-Gu6TbrsimdkE_0sCgknaAMN6IP4kkwua26HPJPSYgop-sxc5Lhul24fEc1rTOBcOHLQdyOrQdwNZ5KCpYcRxZK2tr1HvgSC6L
sSPhiS9qpTLyl-weNr6-EB1qpR3Z7dILyF7hwyxWQpkj0i0pZ3Q2bQiCgzclnyR8bVWn831UVGNvgXWKxXli5PA6IlJdQCuXyoa1
psQ1r-6G1N7AvrBOn2rgqxKcHXtS8LmDEvI9BZ2HsEFCzYoj4wGLkNxZR-5dargDWZpSYz4XAzG
Pragma no-cache
Set-Cookie BrowserId=nmJ-c8qHSMuDXNkHXWMuUg;Path=/;Domain=.salesforce.com;Expires=Mon, 23-Jan-2017 10:52:19 GMT
disco=;Version=1;Path=/;Domain=.salesforce.com;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0;Secure


The error message is clear and true, Origin header attribute is null, but it is Salesforce who set it. Why?
Is it a Salesforce issue? configuration? Headers? Security?
The first call has a good Origin.

Right?

Thank you for your feedback.

Denis

I am calling a rest API from javascript from third party appplication outside salesforce and  getting this issue:-

XMLHttpRequest cannot load https://login.salesforce.com/services/oauth2/token. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access. The response had HTTP status code 400.


My Code:- 
$.ajax({
                    type: 'GET',
                    url: 'https://login.salesforce.com/services/oauth2/token',
                    contentType: 'application/json',
                    dataType: 'json',
                    beforeSend: function(xhr) {
                        xhr.setRequestHeader('grant_type','password'),
                        xhr.setRequestHeader('client_id',  'CLIENT_ID'),
                        xhr.setRequestHeader('client_secret', 'LIENT_SECRET'),
                        xhr.setRequestHeader('username', 'Username'),
                        xhr.setRequestHeader('password', "Password+securityToken")
                    },
                    success: function(response) {
                        console.log('Successfully retrieved ' + response);
                        //Other logic here
                    },
                    error: function(response) {
                        console.log('Failed ' + response.status + ' ' + response.statusText);
                        //Other logic here
                    }
                });


I have made an Connected app adn provide access to that user in Profile settings.

Here are some of my questions:-
1. The callback url in connected app can be http://localhost or should be a proper server URL.
2. Do i need to add http://localhost(server URL) in CORS and REMOTE settings
3. Server URL should be HTTPS (secured)

Please help me in this.

Thanks in advance!
4. I mentioned my error above , please help me in resolving it.
                
 

Is there a clean way to support multiple Access-Control-Allow-Origin domains for access to my REST Apex class?

I tried adding the domains by adding each one individually....e.g. 

res.addHeader('Access-Control-Allow-Origin'.' ....etc.
res.addHeader('Access-Control-Allow-Origin' ... etc.

I trield res.addHeader('Access-Control-Allow-Origin''http://domaina.com, http://domainb.com');

no go 

Do I have to interrogate who is calling and then do an addheader allowing that domain? 

If so, any example code out there for that? 

Hoping there is an easier path on that. 

Hi,

I am receiving the following error message while trying to make an HTTP request via Apex class. I have set the relevant site in 'Remote Site Setting'.

Here is the error message:
------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR noshade size="1px">
<P>
While trying to retrieve the URL:
<A HREF="http://gateway.onewaysms.com.my:10001/bulktrx.aspx?">http://gateway.onewaysms.com.my:10001/bulktrx.aspx?</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Access Denied.
</STRONG>
<P>
Access control configuration prevents your request from
being allowed at this time. Please contact your service provider if
you feel this is incorrect.
</UL>
<P>Your cache administrator is <A HREF="mailto:support@salesforce.com">support@salesforce.com</A>.


<BR clear="all">
<HR noshade size="1px">
<ADDRESS>
Generated Tue, 25 Jan 2011 08:54:48 GMT by proxy-sin.net.salesforce.com (squid)
</ADDRESS>
</BODY></HTML>
----------------


I have been trying to solve but no use. The URL works fine when I use it in Detail Button- it displays me the correct result. But when I use it in class it shows the above pasted error message.

 

The apex class is:

 

url='http://gateway.onewaysms.com.my:10001/bulktrx.aspx?mtid=1101210013461';
Http h = new Http();
HttpRequest req = new HttpRequest();
req.setEndpoint(url);
req.setMethod('GET');
HttpResponse res = h.send(req);
res.getBody();

System.debug(res.getBody()); ----> Here I get the above error message(highlighted in red).

 

Any suggestion will be highly helpful.