We’ve encountered an issue where fetch requests made from our plugin to our API are setting the Origin header to null , therefore our API calls from our Figma plugin to our servers are failing with CORS error and its blocking us from adding important features to our plugin. Besides the CORS error, this behavior has also raised security concerns, particularly regarding potential CSRF vulnerabilities. Could you please provide guidance on the following:

• Is this Origin: null behavior expected when making API requests from Figma plugins?


• What is the recommended approach for securely communicating with our backend API from a plugin?


• Are there any specific CORS configurations, alternative communication mechanisms, or plugin configurations that we can use so we can set the request origin to a specific value other than null?

We’re committed to building a secure and reliable integration, and insights on this matter would be greatly appreciated.