Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Member

CROS policy error

We are trying to access canvas API’s from our web page(different domain). During the process, while attempting to fetch data we are getting CROS policy error (screenshot attached). We assume that there should be some config file added in the root folder of Canvas server in order to access API from our website.


Can someone help me in adding our server to canvas ?

5 Replies
Community Champion


Aside from the CORS message, your image includes an access token. You should immediately invalidate that token since you've now put it on the web for people to see. That is basically giving anyone access to your Canvas installation as that user. See How do I manage API access tokens as an admin?

It's best if you don't send access tokens in URLs -- ever. If you're making the call from within Canvas, they're not necessary. If you're using the API, it's not necessary within a browser that is logged into Canvas. Never include an access token in any JavaScript that is within a browser as that can be exposed to the user and bad things can happen. If you're calling from a programming language and not within a browser, then you should include it in the header.

As for the CORS issue, you're trying to access from Those are not the same domain, so that's why you're getting the error.

We assume that there should be some config file added in the root folder of Canvas server in order to access API from our website.

This is not a valid assumption. You want Canvas to weaken their security to support your website when you've demonstrated that you don't understand how their security model works. That's a recipe for disaster and it's not going to happen.

Canvas does have a content security policy that you control. We haven't enabled it and I'm not completely sure what you're trying to do, but you may look into it. How do I manage the Content Security Policy for an account? 

More likely is that you need to to run something server-side on your end that calls the API and then passes the results on to the user. That will avoid the CORS issue and not expose access tokens to the user through JavaScript.

Community Team
Community Team

 @shreeram_r ‌, per  @James ‌'s timely caution (thanks, James!), we have removed the attachment that revealed the access token. Even though it is no longer visible, it has been publicly displayed for at least an hour, so you'd be wise to invalidate it.

Community Member

Hi James & Stefanie,

Thanks for your reply and removing the attachment.

The access token was created using Oauth2( and the token was expired by the time I posted my query. 

We are trying to access user details and course details API, we wanted those to be displayed in our web-page.

We will try to enable Setting and try to add our domain(, hopefully this may solve CROS policy error, correct me if I am wrong.

We have also added web.config in the root of our domain.

Hope for the best Smiley Happy 

Community Champion

Coming from a Linux world, I had not heard of web.config. It appears to be a Microsoft thing. It has nothing to do with Canvas.

The same-origin issue is on the Canvas side. Telling your server that it's okay to connect to Canvas and bypass CORS doesn't impact Canvas in the slightest. That wouldn't provide any real security if the calling end could override it. What you control on your server is for sites that are connecting to your server, not what your server is connecting to. Neither will trying to lie to the Canvas server with a host header to claim you're from the same origin.

After reading more, I do not think that the Content Security Policy (CSP) will allow you to do this, so if you change it, please report back with whether it works. The second sentence in the document I linked to about the CSP was "The Content Security Policy allows you to restrict custom JavaScript that runs in your instance of Canvas." What you are trying to do is access the API from outside of Canvas. With CORS, there may be a preflight request/response to make sure the request will be accepted and then, if acceptable, it makes the real request. The HTTP server is the one that determines the same-origin violation before the request ever gets to the logic of the application (Canvas), but the Canvas CSP is after Canvas has received and acts on the request.

One way to handle this on your server is to write a script that will make the API call for you and fetch the information that you need and then inject it into the page. The script should be a server script, not a browser script. You can have your JavaScript make an AJAX call to the server that fetches the information from Canvas and returns it. But do not make the call within the browser or you're going to run into the security issue. Your server-side script is acting as a proxy for the browser.

Another way to handle this is that you can setup Canvas to transfer information such as the course and some details about the user with the LTI connection. Then you would have that without having to make an API call to Canvas to get it.

Here are some previous questions in the Community about other people having this problem. They discussion around them may prove beneficial.

Here are a couple of links to the Mozilla Developer Network that explain the same-origin policy and CORS.

Community Coach
Community Coach

Good evening,  @shreeram_r ...

I am reviewing some of the older questions here in the Canvas Community, and I stumbled upon your question.  I wanted to check in with you because there hasn't been any new activity in this topic for quite some time.  It looks like  @James  has been helping you with your question.  Do you feel that James has helped to answer your question?  If so, please feel free to click on the "Mark Correct" button next to one of his replies.  However, if you are still looking for some help from Community members, please let us know by posting a note below.  For the time being, I am going to mark your question as "Assumed Answered" because there hasn't been any new activity in this topic for almost six months.  However, that won't prevent you or others from posting additional questions and/or comments below that are related to this topic.  I hope that's okay with you, Shreeram.  Looking forward to hearing back from you soon.