Cross-origin resource sharing(CORS) and Salesforce APIs

It is very common to find developers trying to access Salesforce information through an API in a web application without success. They usually struggle with the following error:

Access to XMLHttpRequest at '<your_url_instance_and_parameters>' from origin '<your_application_domain>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Here is the definition of CORS: "Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain "cross-domain" requests, notably Ajax requests, are forbidden by default by the same-origin security policy." Same-Origin security policy is another important concept that need to be understood by developers.

The flow of CORS mechanism, is explained below:

In summary, to a successful access to Salesforce information from a web application running in a web browser, Salesforce needs to return the correct CORS information on HTTP header, otherwise the browser will block the request.

Including an Origin on Salesforce Whitelist

To allow client applications running in a web browser to access Salesforce information, you need to register the origin first. On your Salesforce ORG, go to Setup -> Security -> CORS. Include all the domains that need to access Salesforce resources through a web browser.

On the example above, if LinkedIn tries to access Salesforce through Salesforce API using Javascript for example, Salesforce will return the origin in the "Access-Control-Allow-Origin HTTP" header, along with any additional CORS HTTP headers, hence the browser will allow the request.

I included the Origin on Salesforce Whitelist and I'm still receiving an error related to CORS in my Browser. What is happening?

Like several Salesforce's features, there are some limitations related to CORS. Only the following Salesforce APIs are supported:

• Analytics REST API
• Bulk API
• Chatter REST API
• Salesforce IoT REST API
• Lightning Out
• REST API
• User Interface API
• Apex REST

But on the majority of the cases, developers complain about CORS related problems and the answer is not because they are using an unsupported API, instead they are using an unsupported endpoint. It is clear on the documentation: "CORS does not support requests for unauthenticated resources, including OAuth endpoints. You must pass an OAuth token with requests that require it". It means that, if you are trying get the Authorization Token directly from a Web Browser, it won't work. It usually happens when developers try to authenticate an user on Salesforce using the Username-Password OAuth Authentication Flow. All the credentials clientID, clientSecret, username and password+security token are passed via parameter and Salesforce will not return the necessary parameters to the browser to allow the authentication.

Remember, to have a complete CORS mechanism, both server (e.g Salesforce) and client (e.g browser), must implement it. If you try to get the Authorization Token using postman or cURL for example, it will be returned successfully. Neither postman and cURL implements CORS mechanism. This is the main reason why developers struggle while trying to get the authentication token.

So, if you need to run an application in a web browser that has to access Salesforce information, try another type of authentication like User-Agent OAuth Authentication Flow . It will redirect the user to Salesforce login page and will return the authorization token after a successful authentication.