I've run into a frustrating issue involving CORS while trying to implement a tracking script requested by our marketing team. The script throws a CORS error when it tries to make a `GET` request to 'https://tracking.com', stating that it has been blocked due to the absence of the 'Access-Control-Allow-Origin' header. Basically, example.com (our website) is forbidden from accessing resources from tracking.com due to CORS policy.
From what I understand, the server on tracking.com should include certain headers like 'Access-Control-Allow-Origin: https://example.com' or a wildcard '*' and 'Access-Control-Allow-Credentials: true' to enable this. However, their support team suggested two peculiar things:
1. Add tracking.com to the CORS whitelist, which I assume means changing the 'Access-Control-Allow-Origin' on our server, but I don't see how that would work.
2. Disable CORS on the browser, which seems impractical, since that wouldn't solve the issue for any other visitor.
I am beginning to think I'm losing my grip on reality here. Is their support team out of touch, or am I missing something really obvious?
4 Answers
Be wary of using 'withCredentials=true'—that might be causing additional preflight checks that the server isn’t prepared for. If it's not crucial for tracking, consider trying it without that setting. But again, this is really something they should be clarifying on their end, not putting on you!
Honestly, move away from `XMLHttpRequest` if you can. It's clunky compared to using `fetch`. It's worth trying to see if switching methods aids in compatibility. Also, be sure to check the authentication against their API because sometimes those can mess with the CORS headers too.
I’m not the one coding that XMLHttpRequest—it’s part of their tracking script, like how Google Analytics would handle it. It’s really not my place to fix their code!
They're probably not going to whitelist for just every customer—they might not even want their API accessible from the web as a whole. A reverse proxy might be the best way to go here. Set up a node server to fetch data from their API without needing to deal with CORS on the front end, then call that node server from your web app. It’s like an intermediary that handles the requests for you.
I hear you! But it wasn't my decision to use their tracking script. I just implemented what they provided.
It sounds like their support really doesn't get how CORS works. They need to whitelist your domain (example.com) on their server, allowing the proper headers. Bypassing CORS on the browser isn't a feasible solution, especially since it won't help any of your site's other users. Just stick to your guns and keep pressing them about their end of the deal!
Exactly! I told them the same thing, but they just keep repeating those weird solutions!
Yeah, but I'm just using the code they sent over. It’s frustrating that it’s falling on me!