I've started seeing this in my browser consoles when loading a single-page app with the web widget:
Access to XMLHttpRequest at 'https://mysubdomain.zendesk.com/embeddable_blip?type=userAction&data=...'
from origin 'https://myapp.example.com' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present on the requested resource.It occurs for embeddable_blip and embeddable_identify calls. It doesn't affect all calls to those endpoints, just some of them. When I check the response headers, sure enough, when it works there is an "Access-Control-Allow-Origin: https://myapp.example.com". When it triggers an error it's because there is no Access-Control-Allow-Origin at all.
So usually Zendesk is sending CORS headers for these calls, but sometimes it's not, and that's when we get an error.
The web widget authentication still seems to work: I can access restricted help center content and the Live Chat seems to know who I am.
Example bad response (no CORS header):
accept-ranges: bytes
cf-cache-status: MISS
cf-ray: 63625c9469dc3fd2-YYZ
cf-request-id: 09115830c400003fd23f910000000001
content-length: 0
date: Fri, 26 Mar 2021 18:14:58 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
nel: {"report_to":"cf-nel","max_age":604800}
report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=WRm<omitted>%2FljL"}]}
server: cloudflare
set-cookie: __cfduid=<omitted>; expires=Sun, 25-Apr-21 18:14:57 GMT; path=/; domain=.mysubdomain.zendesk.com; HttpOnly; SameSite=Lax
set-cookie: __cfruid=<omitted>-1616782498; path=/; domain=.mysubdomain.zendesk.com; HttpOnly; Secure; SameSite=None
vary: Accept-Encoding
x-content-type-options: nosniff
x-request-id: 592335c1552e7d897be45d4ddd358773
x-zendesk-zorg: yesExample good response with CORS header:
access-control-allow-origin: https://myapp.example.com
cache-control: no-store, no-cache, must-revalidate
cf-cache-status: MISS
cf-ray: 63625c9469de3fd2-YYZ
cf-request-id: 09115830c400003fd26509d000000001
content-encoding: br
content-type: text/html; charset=utf-8
date: Fri, 26 Mar 2021 18:14:58 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
nel: {"report_to":"cf-nel","max_age":604800}
report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=<omitted>%2Bx1zxgSFLKM5pwp6y98d%2BM0d4WXt9qo%2F3mFRldZABR5HKh5UDI1GHyL1fNfQ"}]}
server: cloudflare
set-cookie: __cfduid=<omitted>; expires=Sun, 25-Apr-21 18:14:57 GMT; path=/; domain=.mysubdomain.zendesk.com; HttpOnly; SameSite=Lax
set-cookie: __cfruid=<omitted>; path=/; domain=.mysubdomain.zendesk.com; HttpOnly; Secure; SameSite=None
vary: Accept-Encoding(The other difference is the "bad" response has a content-length: 0, and the "good" response has no content-length header)
Hi folks, the widget team was rolling out a new backend change that caused some requests to be missing the Access-Control-Allow-Origin header. The requests in question were duplicates, so there was no impact to the functionality in the widget, but you did end up getting those CORS errors in the console. The underlying issue has since been fixed, so you shouldn't see any more errors now.