#lizabog

Which CORS errors and what does your integration look like?

The error i'm getting is om origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://test-app.our-domain.com' that is not equal to the supplied origin.

I'm seeing now that the request is going out without an origin header

Ok, but what exactly are you doing? What API requests are you making?

We're pulling data from our proprietary API

I need you to share the specific API request you're making to Stripe that is throwing the error

We're wondering if there's a way to redirect the request so that it appears to be coming from our domain instead. Can you provide any suggestions on how to achieve this?
I've no idea what this really means? Redirect which request?

We are not making API requests to Stripe. We are making API requests to our API (Chargeflow)

Then I'm not really sure how this issue pertains to Stripe?

Because it's coming from the Stripe Dashboard ... therefore our APIs are blocking it

Can you share a screenshot of the exact error you're referring to

The request is coming without an origin header

Ok, and where is this error thrown exactly? Are you using a Stripe App?

Yes using Stripe App

I'm sorry I'm struggling to understand how this issue pertains to Stripe. You've alluded to it happening in our Dashboard, yet our Dashboard doesn't make API calls to Chargebee

Chargeflow*

Chargeflow, yes

Either way, point still remains

We are building a Stripe App which makes API calls to Chargeflow

We're getting CORS because it's coming from Stripe Dashboard

But we cannot open our API to new endpoints because that is a security risk

You can't make the API calls from your Stripe App come from a different origin, no

Issue - - it's not coming from any origin. Please refer to the screenshot just a few messages above ^^ (origin 'null')

Possible solution which we need your help -- Perhaps, we can use the stripe subdomain (or some other endpoint), in order to change the DNS config . Do you know what this stripe subdomain is ?

Have you correct configured the app manifest to allow the app the make requests to your APIs? https://stripe.com/docs/stripe-apps/build-ui#use-third-party-apis

Yes definitely

Then you need to configure your API/endpoint(s) to accept the API requests from the Stripe App

Again the request is going out without any origin in the request headers

I'm afraid that's not configurable

Is there a subdomain from stripe ?

I don't understand the question

It's a security risk to open our API (configuring API/endpoint(s) to accept the API requests from the Stripe App directly)

Therefore, instead, we'd like to to use stripe subdomain to reroute

I'm afraid that's not possible

You should instead create your own API middleware/proxy to handle and forward those requests to your actual API

But what about the missing origins coming from Stripe Dashboard? How can we create an API middleware if there's no origins

I don't really have a better solution for you right now. I'd recommend filing feedback with the Stripe Apps team on GH if this is a concern: https://github.com/stripe/stripe-apps/issues

Issues already opened. From over a year ago

Can you link me?

https://github.com/stripe/stripe-apps/issues/87

Ah, yep. This is the solution: https://stripe.com/docs/stripe-apps/build-backend#send-a-signed-request

You'd sign the request in your Stripe App and then verify it using the Stripe SDKs in your backend

But that requires allowing requests from null origins by setting the Access-Control-Allow-Origin to *.

This is definitely not a viable option due to security

Then I'm afraid we don't have a solution for you currently. I'd recommend re-opening that issue and relaying your concerns there

Ok thanks for bearing with us during this triage @bronze valve