CORS

Browsers have a security functionality (called the same-origin policy) which restricts web applications in one domain from accessing resources in another. Without the same-origin policy, it would be much easier for malicious websites to access resources from remote servers. Cross-origin resource sharing (CORS) allows a back end web resource to allow incoming requests from specific external sources.

When testing through a locally-stored version of our OpenAPI spec, through JavaScript in a browser, or some other testing scenarios, endpoints may return a CORS error: No Access-Control-Allow-Origin header is present on the requested resource. This is an expected error.

For more information and links to possible solutions, see Mozilla’s CORS guide, "Cross-Origin Resource Sharing (CORS)."

Change log