Team is facing this CORS issue while calling ChatID API through Figma Plugin in the Frontend.
Below is the error facing:
Access to fetch at 'https://******ChatId' from origin 'null' has been blocked by CORS policy: Request header field x-security-key is not allowed by Access-Control-Allow-Headers in preflight response.
VM374:6
Hey
Figma plugins use null origin iframes, which is blocked by the ChatID API. In the case you don’t own the API, try hosting your own site and navigating the plugin to it to make the requests: https://www.figma.com/plugin-docs/creating-ui/#non-null-origin-iframes.
Let me know if that doesn’t align with your issue ( ex: you do own the API in question). I can check again to see what other guidance may be helpful.
Thank you
We do not own API, and it’s a known thing that no server/api should support incoming request with Origin ‘null’. So we urgently need your support to close the issue, currently it is impacting our client delivery.
Appreciate your quick response to resolve this issue.
Hello
We tried hosting our plugin UI as a separate static webpage which performs fetch and uses postMessage to send data back to the plugin.
Now the ui.html is still being loaded inside the Figma plugin iframe even though it is externally hosted. That iframe always is isolated and has: Origin: null, CORS-restricted fetch() environment.
Hence to conclude:
1. When we run the ui from the hosted static server the origin is that static server url itself which is correct
2. But figma desktop app does not allow the origin to be set to something other than null. Even when we load the plugin UI from an external hosted static server via figma.showUI().
Please let us know how to proceed further on this issue.
Hey networkAccess.allowedDomains in your manifest.json
See here for more guidance and details: https://www.figma.com/plugin-docs/manifest/#networkaccess
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.