Site/.netlify/identity/token blocked by cors policy

I am using GitHub - jon-sully/react-netlify-identity-gotrue: A pure React (hooks-based) API to Netlify Identity / GoTrue, fully implementing all auth workflows to implement identity login, @jonsully

I was developing on chrome with ntl dev and ran into this error out of nowhere:
Access to fetch at '' from origin 'http://localhost:8888' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.


  directory = "functions"

  for = "/*"
    Access-Control-Allow-Origin = "*"

Any help is appreciated

Greetings @willb335 :wave:

So for starters, I wouldn’t recommend this:

  for = "/*"
    Access-Control-Allow-Origin = "*"

Since it opens up all of your site content to any other domain that wants to pull it. In addition, while it reads like it should help your situation, I don’t think those headers get applied to responses from GoTrue (Netlify Identity).

That said, do you have a custom domain attached to the site? GoTrue is actually supposed to clear localhost:8888 as a CORS-able domain but I’ve seen over the last couple years a few instances where this problem crops up when using the * domain (no idea why).



Hey Jon, thanks for the quick reply. I don’t have a custom domain attached to the site, but the site is now fetching the token fine, no idea what caused the change. :man_shrugging:

I am using Access-Control-Allow-Origin = "" as a test and it is behaving like a Access-Control-Allow-Origin = "*". I expected to get a cors error when calling my functions with this value, not sure if you can provide any insight(a bit off topic).

Anyways, thanks for the reply, seems to be working.

1 Like