function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Admin User 1104Admin User 1104 

CORS is enabled in salesforce but still getting access error in angularjs

I am trying to send $http request to salesforce for submitting a ticket.
I enabled in security setting cors while adding my site to the withlist.
The probelm is that i am still getting the famous error:
XMLHttpRequest cannot load No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '' is therefore not allowed access.

                method: 'POST',
                url: '',
                headers: { 'Content-Type': 'application/json' },
                data: param2
Thanks in advance for your help.
NagaNaga (Salesforce Developers) 
Hi Admin User,

You are hitting the browser's same origin security policy. This means that your JavaScript can only make AJAX calls back to the same origin of the containing page - in this case You are trying to make an AJAX call to Salesforce and that gets blocked.

CORS (cross origin resource sharing) relaxes this restriction by letting servers define which origins are allowed to call them through HTTP headers such as Access-Control-Allow-Origin. However, this is configured on the target server ( so Salesforce would need to provide these headers in response to your request, and they don't. Thus your request doesn't succeed and the browser gives you the error.

What is a little confusing about CORS is that you make a request to the server and it will respond with headers to indicate whether the request was allowed or not.

Please follow the below link for more info

Best Regards
Naga Kiran
Admin User 1104Admin User 1104
You are absolutely right.
This is cross origin call.
The page
Does not reallt give an answer how to solve it within salesforce.
I found how to configure the CORS whitelist and i did.

I already enabled in security setting ->cors , in salesforce to know my site and now it is in the white list.
If I understand correctly, after adding your domain to the white list, salesforce server will allow cross origin calls.
Is it true ?
And if it is true, it is not working for me L
Please help
We're you able to find a resolution to this? I am running into the same issue. In my sandbox, I am trying to reference static resources (on in an Aura app component (on

Tim Morgan 46Tim Morgan 46
I'm having the same problem as well. No matter what I do, the whiltelisted domains throw a Javascript error that the Access-Control-Allow-Origin header doesn't exist in Salesforce.
Travis MalleTravis Malle
Same issue here. No matter what I do I get the same error. Any help would be greatly appreciated
Same issue for me. I try to use lightning out to show a lightning component in a simple page on my server. My server is already configured in security>Cors in salesforce but I always have the error XMLHttpRequest cannot load No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '' is therefore not allowed access. The response had HTTP status code 500.
Saurabh Pradhan 17Saurabh Pradhan 17
I had similar use case, was able to do CORS request from angular to salesforce by making my server entry in "remote sites" as well as Salesforce "CORS". https only entries would yield desired result.
Paul KaperakPaul Kaperak
We are running into the same issue @salesforce please acknowledge.
Eric BurelEric Burel
Did anybody find an anwser ? This is quite annoying
@LaceySnr - Matt Lacey@LaceySnr - Matt Lacey
Ok, I'm glad this isn't just me. Have tried all sorts and still getting blocked which is causing me major problems right now. 
Jim MacAulay 22Jim MacAulay 22
I too had the same CORS error but have fixed it. Turns out it wasn't a CORS error at all. I was not setting the Session ID in the call so it was failing and giving a CORS error. On further investigation I looked at the response body and low and behold there was an 'Invalid Session ID' message in there.

So, my point is - your error may not be anything to do with CORS - Check the response body in the developer tools of Chrome don't rely on the error message !!!!
Dave ChisholmDave Chisholm

Yes! I just had a look and you are correct the response body is:
[{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]

The next question is what to do about it?   In my case I was told by some documentation that CORS whitelisting does not work for the authentication call.  So I set up a proxy script on my server to make that call and pass back the access token.  Then I use that access token from the client side to make a an API request.  So perhaps it is complaining that I auth'd from one session and then calling the API from another?  Or do I manualy have to pass the session ID over from my proxy?

Thank you very much for the tip, if you can add more about how to solve that would be great :)


Dave ChisholmDave Chisholm
...of course I guess I could have my spa make ALL of its calls via my local proxy.  Kinda cheesy but totally effective :)
Jim MacAulay 22Jim MacAulay 22
Hi Dave,

It sounds like what you are doing is correct and should work. Check that the Access Token is actually being sent back and is being included in your call correctly.

For me, I set up a Named Credential in Salesforce and used this whenever I made API calls  (I was going for one Org to another). One of these API calls was to a custom REST call I wrote (Get_Session) which returned the session id. I exposed the result via a property to the client side code to be used directly from the javascript (in actual fact I used it to instantiate a Lightning Out component).
Talha SaqibTalha Saqib
Please try the following resource: