Was this page helpful?
Decide which domains can access your project data.
For security reasons, your project defaults to only respond to queries from localhost:3333 (the default local development server for Sanity Studio) and the hostname you used when deploying (if you used sanity deploy). This is primarily for reading private data and mutating data, like in Studio. Most front end apps connecting to your content won't need additional CORS configurations.
If you want to open up your project to any other origins, you need to add the host name to your allowed CORS origins (you can read more on browser security & CORS or the technicalities of CORS).
Typical reasons you'd want to add a new CORS origin include:
http://localhost:<your port>.sanity deploy command).https://fiddle.jshell.net.It's good practice to limit your origins to the smallest possible set, and never open a sensitive dataset to public playgrounds like JSFiddle. A JSFiddle example will be able to access projects you open to it with your credentials when you run it.
A CORS origin will be defined using the following format:
protocol://hostname[:port]The protocol and host name are required while the port is optional. Wildcards (*) are allowed.
Some valid examples include:
https://example.orghttps://*.example.orghttps://fiddle.jshell.nethttp://localhost:3000http://localhost:3333When adding a CORS origin, you will also need to decide whether or not to allow credentials. If you allow credentials, the origin will be allowed to send authenticated requests using the token or session of a logged in user.
If this origin hosts a studio, you will need to allow credentials. Otherwise, you should probably select not to allow credentials.
Allowing credentials from wildcard origins is dangerous. Any domain that matches the given pattern will be able to send requests on the user's behalf if they are logged in to your studio.
Are you getting one of these errors in your browser console when trying to access your studio?
Firefox: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://PROJECT_ID.api.sanity.io/v1/users/me. (Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’)
Chrome: Access to XMLHttpRequest at 'https://PROJECT_ID.api.sanity.io/v1/auth/providers' from origin '<STUDIO_URL>' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'
Safari: XMLHttpRequest cannot load https://PROJECT_ID.api.sanity.io/v1/users/me due to access control checks. Credentials flag is true, but Access-Control-Allow-Credentials is not "true".
Try allowing credentials on your CORS origin.
You can add a CORS origin from your management console or using the command line interface (CLI).
To add a CORS origin, you will need the proper permissions. If you are unable to add a CORS origin, please speak to your project Administrator.
To add a CORS origin from your management console:
To add a CORS origin from the CLI:
sanity cors add [ORIGIN], where [ORIGIN] meets the requirements listed above.You can confirm your origin was added with the statement CORS origin added successfully or by consulting the list returned by the command sanity cors list.