CORS allowed for third party domains?

Hi has anyone else had success getting preflight CORS requests working from third party domains? I’m writing an HTTP API using the http-functions.js file in backend code. While testing this API, I noticed that CORS preflight requests succeed with a 200 OK status code when I choose an origin the same as my application. However, when I choose a different origin I get a 403 error. This seems to happen regardless of what I entered for “Access-Control-Allow-Origin”. If I put “*” for all origins or explicitly type the name of the other origin, it still returns a 403 error. It seems to be ignoring my preference on allowed origins and locking my API down to only work from my own application.

I tested this using the provided sample from the docs:

export function get_myFunction(request) {
 if(request.path[0] === "findMe") {
 const body = "Found it!";
 return ok({body: body});
  }

 const body = "Can't find it!";
 return notFound({body: body});
}

export function options_myFunction(request) {

 // set headers as required for specific situation
 let corsHeaders = {
 // which origins are allowed
 "Access-Control-Allow-Origin": "http://www.example.com",
 // which methods are supported - you need to implement
 // functions for all methods listed here
 "Access-Control-Allow-Methods": "POST, GET, OPTIONS",
 // add additional headers as required
 "Access-Control-Max-Age": "86400"
  } 

 // return the response
 return response({"status": 204, "headers": corsHeaders});
}

And then make a CORS preflight request using cURL using the specified third party origin:

curl -H "Origin: http://www.example.com" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: X-Requested-With" \
  -X OPTIONS --verbose \
 https://www.{mysite}.com/_functions/myFunction
< HTTP/1.1 403 Forbidden

However, putting my own domain as the origin worked. This isn’t useful because the whole point of having API is to call it from other sites.

curl -H "Origin: https://www.{mysite}.com" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: X-Requested-With" \
  -X OPTIONS --verbose \
 https://www.{mysite}.com/_functions/myFunction
< HTTP/1.1 204 No Content
< Access-Control-Allow-Origin: http://www.example.com
< Access-Control-Allow-Methods: POST, GET, OPTIONS
< Access-Control-Max-Age: 86400

If the official policy of the Wix team is that CORS requests from third party domains are not allowed, shouldn’t the documentation be updated to say that?

I have using http-functions for another not wix site. it works well.

403 it’s not CORS error. Maybe you used a database in your http-functions?
It can be read permission in the database.

https://support.wix.com/en/article/about-collection-permissions

My code above doesn’t use a database. Are you sure you were using a CORS preflight request? The browser doesn’t fire it for simple GET requests.

I have the same problem. I found the only way to solve this: send POST request with header “Content-type” with CORS allowed value, such as “text/plain”. In this case browser will not send a OPTIONS request first.