Index
Edit

Access Your Data (CORS)

For security reasons, your project is configured to only respond to queries from localhost (i.e. your laptop) and the hostname you used when deploying (if you used sanity deploy). If you want to open your project to any other origins, you need to add the host-name to your allowed CORS origins (read more on the technicalities of CORS here).

Typical reasons you'd want to add a new CORS-origin include:

  1. You are using a non-default port when developing, so you'd open to http://localhost:<your port>
  2. You are deploying a front end, so you'd open to https://the-public-host.com
  3. You are deploying a studio outside the Sanity infrastructure (i.e. not using the sanity deploy command)
  4. You want to try something out on JSfiddle, you'd open to https://fiddle.jshell.net

It s good practice to limit your origins to the smallest possible set, and never open a sensitive dataset to public playgrounds like JSFiddle. A JSFiddle example will be able to access projects you open to it with your credentials when you run it.

How to add a CORS origin

You do this from your management console at https://manage.sanity.io

  1. Pick your project from the list
  2. Go to Settings
  3. Under CORS Origins click the Add new origin-button
  4. Enter the origin you want, stating explicitly exactly the protocol, host name and port you want to allow traffic from. Some valid examples include: http://example.org, https://fiddle.jshell.net, https://localhost:3333.
Gotcha

IDN-domains and CORS has known issues in Internet Explorer and Microsoft Edge (now fixed). See details at https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/8075637/

Previous: The Vision PluginNext: Minimal Example