Get help on Discord

CORS origin won't accept capacitor://localhost URL

5 replies
Last updated: Mar 18, 2021
I have a problem allowing CORS requests from an iOS capacitor app: capacitor runs under 
<capacitor://localhost>
, but the CORS origin form won't let me enter that 🌩️
AI Update

I understand your frustration! The issue is that Sanity's CORS origin form only accepts standard HTTP/HTTPS protocols, and capacitor://localhost uses a custom protocol scheme that isn't supported in the CORS configuration interface.

Here are your options to work around this:

The best solution is to configure Capacitor to use https instead of the custom capacitor:// scheme. In your capacitor.config.ts or capacitor.config.json, add:

{
  server: {
    iosScheme: "https"
  }
}

This makes your iOS app run under https://localhost, which you can then add to Sanity's CORS origins in the standard way through manage.sanity.io under Settings > API > CORS Origins. This is the officially recommended approach by the Capacitor team for avoiding CORS issues.

Important: The iosScheme cannot be set to http (only https or custom schemes), so https://localhost is your valid option here.

2. Use Capacitor's HTTP Plugin

Alternatively, you can bypass CORS entirely by using @capacitor/core's CapacitorHttp plugin. This makes native HTTP requests instead of web-based XHR/fetch requests, which aren't subject to CORS restrictions:

import { CapacitorHttp } from '@capacitor/core';

const response = await CapacitorHttp.request({
  url: 'https://YOUR_PROJECT_ID.api.sanity.io/v2021-10-21/data/query/YOUR_DATASET',
  method: 'GET',
  params: { query: 'YOUR_GROQ_QUERY' }
});

This approach works with any scheme since it bypasses the browser's CORS mechanism entirely.

Why This Happens

Sanity's CORS configuration is designed for standard web protocols. The form validates that origins start with http:// or https://, which is why custom protocol schemes like capacitor:// are rejected. When using authentication tokens with the Sanity client, you also need to enable the "Allow credentials" option for your origin.

The iosScheme: "https" solution is generally preferred because it maintains compatibility with standard web APIs and doesn't require changing how you make HTTP requests in your code.

Show original thread
5 replies
user A
can you pass that to the devs?The request origin is not configurable with capacitor under iOS:
https://ionicframework.com/docs/troubleshooting/cors
I also tried entering 
*://localhost
and other variants, but the sanity UI won't let me enter that...
Interesting. I’m able to enter 
<capacitor://localhost>
in my studio manager.
Ooh. Only on the old version, though. It doesn’t let me on the new one.
You could also try 
sanity cors add <capacitor://localhost> --no-credentials
(or 
--credentials
) from your command line.
That worked, thanks a lot! 🙏

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?