CORS error in experience builder

09-23-2020 01:18 PM
Esri Contributor


My client is getting this CORS error in experience builder:

Access to fetch at '' from origin '' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value '' that is not equal to the supplied origin. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

He added this map service ( to a webmap in ArcGIS Online and save the map.

In experience builder, he is getting the CORS error when trying to select the web map and add data.

I couldn't reproduce the same CORS error the first time, but I could add it the 2nd time.

He couldn't reproduce the issue with sampleserver6 so I think it could be related to some CORS setting on the web server.



0 Kudos
5 Replies
Esri Regular Contributor

Hi Andy,

This issue has been fixed and will be available in our October release. I was able to load that service without any issues with my local test build. 



0 Kudos
New Contributor


I have the some issue with a custom image symbol in a web map. With Experience, the layer with this symbol, does not appaear.  With this error message in the console: 

Access to fetch at 'https://www.xxxxx.png' from origin '' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

is this alos a known issue ?



New Contributor II

Hi @DavidMartinez ,

I'm experiencing what seems to be a similar issue: Embedding an arcgis dashboard in an Arcgis Enterprise 10.9 Experience Builder (using the embed widget), I get a "can't access arcgis organization" error - and developer mode shows a CORS issue. Is there any workaround for this...? - screenshot attached.

0 Kudos
New Contributor

Hi @chaims ,

I do have same problem with you, do you have fix the issue?
Kindly need your help for this problem

Thank you

0 Kudos
New Contributor II


i found this topic as i had the same problem (can't access arcgis organization - error and developer mode shows a CORS issue).  It took me about an Day to figure out the Solution / Hack. 

go to your portal installation dir (c:\program files\arcgis\portal) from there navigate to apps\experiencebuilder\widgets\common\embed. thats the folder of the embed widget, that is causing the CORS Error. 

to understand the problem go into src\runtime and open widget.tsx with an text editor.  go to line 563 and you will find something like sandbox="allow-scripts allow-forms allow-popups allow-presentation allow-popups-to-escape-sandbox" that are the parameters that the embed widget will use with its iframe to embed an url from an unknown source (maybe dangerous). The code is sightly different from 10.8.1 and i think it changed because of security reasons. To get javascript process that part of the code there is a check for "withSandbox" and that variable is set in a function called "checkSafeDomain". Search for that function and you will find an array consisting of two strings '',''. these are the two domains considert to be safe. remember these two strings.


to fix the problem you have to navigate to the dist\runtime folder. make an backup of widget.js and open it with an text editor.  Search for an array ["",""] . ist "compressed" javascript and you will find it in line 1 position 5009. Add your own Portal-FQDN to that list.


Now you have to clear your browser cache as browsers think js-ressource-files never change. and thats it.

Please be aware that users may be able to embed malicious code by placing it somewhere inside your web / content.