Last tested: Oct 19, 2020
WHAT DOES THIS MEAN?
We most commonly see this response when an API consumer is incorrectly using the
origin header in an API call.
CORS is only available when using the new experimental API 4.0. As such, any request with an
origin header to /api/3.0/ or /api/3.1 or /api/4.0/login will fail no matter what, and additionally, any valid request to api/4.0/ will require that its
origin header value is also in the Embedded Domain Whitelist.
How do I fix it?
origin header will not work in any of these circumstances:
- Call is made to API 3.0 or 3.1, or
- Call is made to api/4.0/login, or
- The domain used in the origin header is not on the Embedded Domain Whitelist.