XMLHttpRequest Blocked by CORS Policy

3 replies

Last updated: Apr 17, 2021

Do you know why I might be getting CORS issue using @sanity/client?

Access to XMLHttpRequest at ‘https://projectId.api.sanity.io/v1/data/query/production?query=*%5B_id%20%3D%3D%20%22d3f9be2c-d6f1-4e13-921e-aad11bdbe554%22%5D%20%20%7B%0A%20%20%20%20...%2C%0A%20%20%7D ’ from origin ‘https://my-domain ’ has been blocked by CORS policy: The value of the ‘Access-Control-Allow-Credentials’ header in the response is ‘’ which must be ‘true’ when the request’s credentials mode is ‘include’. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

I have added this domain as described here https://www.sanity.io/docs/cors

Apr 16, 2021, 7:22 PM

Sounds like you might have defined a token when instantiating the client?
That's generally not recommended unless this is for an intranet-solution or something behind another layer of authentication, since the token will be visible to anyone on that page.

If it
is intentional, you need to check the "Allow credentials" checkbox when creating the CORS origin

Apr 16, 2021, 7:33 PM

hey

user Z

thanks for help. I don’t think I have added a token 🤔 This is how it looks on the client side:

Apr 17, 2021, 6:29 AM

I think I found the issue, I had to change the API settings to allow credentials on this domain

Apr 17, 2021, 10:27 AM

Sanity– build remarkable experiences at scale

Sanity is a modern headless CMS that treats content as data to power your digital business. Free to get started, and pay-as-you-go on all plans.

Get started for free Explore the demo

Platform

Features

Use cases

Integrations

Learn

Build and share

Frameworks

Discover

Case studies

Popular guides

XMLHttpRequest Blocked by CORS Policy

Sanity– build remarkable experiences at scale

Was this answer helpful?