How to deploy a javascript file to be included in 3rd party websites

I’m trying to build React widgets that will be consumed and embedded in 3rd party websites, but I can’t get past 1st base. How do I publish a simple javascript file that a 3rd pary website can include in a script tag without tripping over cors?


They put something like this on their page
<script src="" crossorigin></script>

and I have the following toml in my repository root

for = "/*"
Access-Control-Allow-Origin = "*"

But they still get a CORS error. What am I missing?

Do the Netlify terms of service allow this?

I don’t see the difference between this and hosting an iframe from a terms of service point of view, but I’m happy to be educated about the terms or the technique. Either way, I need to know I can’t do it or how to do it.

btw, removing the crossorigin attribute solves the CORS issue, but I still can’t figure out how to get react, webpack, and netlify to let me specify my own bundle.js in the ./build/static/js directory on netlify

hey chad,

firstly - you are in a bit of a grey area here with regards to terms of service, although it depends a little bit on what exactly you are doing with your netlify site.

Specifically, section 3 point 1:

Users may not use the Service as a remote storage server only.


Users deemed to be using Netlify solely as a remote storage server will have their account immediately terminated and will have all files associated with their account permanently removed.

as we’re very generous with our starter tier, we want to avoid people utilizing us as a remote filedrive (there are better options for that anyway). We’re not so worried about a js file, especially if you are also using that file in a site you are running on netlify, but, if someone where to use their netlify account to store giant video files, or images, or binaries that they are just straight up linking to without serving an actual site, we might have to have a talk about acceptable use, so keep that in mind. :slight_smile:

I’ll have to let someone else chime in on the js questions specifically, but as i’m the TOS expert around here, I figured I’d answer the first half of your q at least.

Thanks, but I’d be surprised if I’m in the gray. Lots of sites put widgets on blogs, etc. Yes?
I could do an <iframe>, but I’d rather do it with a <script> tag, similar to youtube’s <embed> code
The site is and I’m simply developing a widget that users can include on their business sites, blogs, etc.

Thanks for your help and advice.

if you have an actual site, then it’s not a concern - but you hadn’t mentioned that before :slight_smile:

as I mentioned above, we’re specifically interested in preventing people only storing assets on our servers but not including a site in some way. so, to be really clear, if a person had a stack of images, videos, or css files, or js scripts they were linking to from somewhere else, but not actually serving any html etc, we’d have a talk with them about appropriate use.

it seems like what you are doing is fine!