CORS interruption while fetching Smartsheet API

We want to use simple fetch to GET request the data from our Smartsheet instead to the Smartsheet JS SDK. The code snippet is as follows :

This JS file has been linked to a HTML file which is being fired up on the browser using Live Server extension available in VsCode. But upon checking the console on the browser (all major browsers in the local system) we are observing this error :

The GET request is working fine when using Postman (postman doesn't enforce CORS) or CURL. Therefore, compared the underlying cUrl in both the cases. It seems the headers are not being passed properly for fetch command.

We have other API's associated to the project (not Smartsheet API's) and fetch calls for them are working just fine. Therefore, I am wondering whether it's an issue related to the API or the live server we are using. As the documentation mentions connection to the API via the JS SDK, thought of asking if there is any other way around ?

Thank you for your help !

Answers

  • Brian_Richardson
    Brian_Richardson Overachievers Alumni

    Can you try adding header Access-Control-Allow-Origin: *

    There ends my knowledge heh. This sounds to me like something for the API devs to dig into, which will require a Support ticket from you to initiate. Unless @Genevieve P. has direct access to forward this on?

    BRIAN RICHARDSON | PMO TOOLS AND RESOURCES | HE|HIM

    SEATTLE WA, USA

    IRON MOUNTAIN

  • Heya! Thanks for the tag, @Brian_Richardson

    I'm not familiar with the Live Server extension available in VsCode so I'm unsure I (or frontline Support) would be able to help… we would test the request in Postman which looks to be working to ensure the API documentation is correct. However Support does not actively support SDKs.

    "Access-Control-Allow-Origin" is not a Smartsheet header; this is what I found out about it in Stack Overflow https://stackoverflow.com/questions/10636611/how-does-the-access-control-allow-origin-header-work

    Based on this, Brian's suggestion of adding * looks to be what I would try:

    Only if the response contains "Access-Control-Allow-Origin" AND its value is "*" or contain the domain who submitted the CORS request, by satisfying this mandtory condition browser will submit the actual Cross-Domain request, and cache the result in "Preflight-Result-Cache".

    Let us know if this works, @Sayantan_sarkar!

    Cheers,
    Genevieve