+ Start a Discussion

Static Resource loaded by LWC is blocked by CORS policy due to header mismatch

We have an LWC that works perfectly in all orgs.
We use Lightning Out in a VF Page to display the LWC in multiple orgs.
In only some of those orgs, we are starting to see a CORS issue due to the static resource being served by a different url than the CORS header accompanying it.
We have tried making the static resource private and public, same problem.
The problem goes away for a user, if that user goes to setup and downloads the static resource (it will still remain for other users in the org until they do so too though).

Here's the actual CORS error (sanitized for privacy) from the browser dev console:
Access to XMLHttpRequest at 'https://acme--c.visualforce.com/apex/VFPage?id=a026g00000F6SkOAAV&isdtp=p1&sfdcIFrameOrigin=https://acme.lightning.force.com' (redirected from 'https://acme--c.na174.visual.force.com/apex/VFPage?id=a026g00000F6SkOAAV&isdtp=p1&sfdcIFrameOrigin=https://acme.lightning.force.com') from origin 'https://acme--c.na174.visual.force.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
VinayVinay (Salesforce Developers) 

There is a change in CORS errors for static resources post Winter21.  Check below reference for more details if issue is not solved please contact Salesforce support.


Hope above information was helpful.

Please mark as Best Answer so that it can help others in the future.


Thanks Vinay, we don't have the Release Update enabled though. It seems like this is somehow a bug or a code reversion.
Dan Moore 76Dan Moore 76
I've also experienced a similar issue, in my case, it's a screen flow with an LWC embedded being rendered in a Visualforce page (iframe). I recognize this is a fairly complex use case, but it doesn't seem to be a problem in every org, and can sometimes be fixed by loading the page once, and then refreshing it, or by disabling/enabling certain browser extensions. I've attempted to CORS whitelist every permutation of domains that the Visualforce, LWC, and static resource *might* be loading from, but that doesn't seem to make a difference in an org where nothing I do seems to help. Hopefully someone might have additional suggestions on how to address this.
Vitalii DehnerysVitalii Dehnerys

Hi mkaufman,

Have you resolved this issue, I am facing the same one ?

Vitalii, YES we did come up with a solution.  In addition to loading the static resource in the LWC, we also load it in the VF Page. From what I can tell, this loads prior to the LWC which results in the LWC receiving the static resource from the correct URL. Here's more info on how to reference a static resource from Visualforce https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_resources_reference.htm