Cannot do API calls from sidebar extension due to CORS

Hello everyone,

I am trying to create a sidebar extension that needs to do API calls into another product, and ideally it would be hosted by contentful.

However apparently no Access-Control-Allow-Origin header is being sent to the iframe that hosts the application, so any attempt to directly call the API gets blocked by the browser as CORS violation.

I have failed to find any way to influence this from contenful configuration side.

Is the only approach for this kind of scenarios to host the App Framework application somewhere else outside contentful, with an additional backend?

Looking at many of the same apps on github it appears some of them managed to perform API calls, while being hosted by contentful (or at least it looks like it).

Searching for documentation on the subject only shows up content from the now deprecated UI Extensions.

Any guidance on how to approach this?

Thanks in advance for any hints.


it’s not a Contentful or a Contentful configuration scenario.
From a CORS perspective, the API you call is the one who informs the browser whether or not the call is legit or not. Before sending your call to the api, there is a prefetch call sent to the same API endpoint (verb OPTIONS) that asks the server if it’s ok to send requests from the current URL of the application. There is also a specific logic when it comes to frames, that you should look into. But it doesn’t change the fact that the API itself informs the browser whether it needs to block the calls.

Thanks for the tip, I eventually found out that being the case and the third party is not allowing this kind of scenario, mentioned explicitly on their documentation.