1

I have a Flask app on Render.com serving index.html, styles.css, and main.js from https://custom-va-template.onrender.com. My frontend at https://solixa.ai uses fetch("https://custom-va-template.onrender.com/index.html") to inject the chatbot HTML. The browser blocks that call with:

No 'Access-Control-Allow-Origin' header is present on the requested resource.

Yet loading /styles.css or /main.js via <link>/<script> works fine (they return Access-Control-Allow-Origin: *). A curl -I -H "Origin: https://solixa.ai" to /index.html shows no CORS header, while the same curl to /main.js does show it.

  1. Flask-CORS config

    from flask import Flask, send_from_directory, request, make_response
from flask_cors import CORS
import os

app = Flask(__name__)
CORS(app, resources={r"/*": {"origins": "*"}}, send_wildcard=True, always_send=True)

UI_ASSETS_DIR = os.path.join(os.path.dirname(__file__), "..", "frontend")

@app.route('/index.html', methods=['GET', 'OPTIONS'])
def serve_index():
    origin = request.headers.get("Origin")
    if request.method == "OPTIONS":
        resp = make_response('', 204)
        if origin:
            resp.headers['Access-Control-Allow-Origin'] = origin
            resp.headers['Access-Control-Allow-Methods'] = 'GET, OPTIONS'
            resp.headers['Access-Control-Allow-Headers'] = 'Content-Type'
            resp.headers['Vary'] = 'Origin'
        return resp
    resp = make_response(send_from_directory(UI_ASSETS_DIR, 'index.html'))
    if origin:
        resp.headers['Access-Control-Allow-Origin'] = origin
        resp.headers['Vary'] = 'Origin'
    return resp

    I expected curl -I -H "Origin: https://solixa.ai" https://custom-va-template.onrender.com/index.html to return Access-Control-Allow-Origin: https://solixa.ai. Instead, it returns no CORS header.

  2. After-request hook I added an @app.after_request to force ACAO on every response, but /index.html still comes back without it.

  3. Clearing cache & cache-busting I redeployed with Render’s “Clear build cache,” added ?v=12345 to URLs, and switched Cloudflare to DNS-only mode. None of these made /index.html include ACAO.

Expected result: All resources (HTML, CSS, JS) should return Access-Control-Allow-Origin so that the front end’s fetch("/index.html") succeeds. Any idea why HTML alone is missing that header on Render.com?

Improve this question
Related questions
3365
Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
1373
No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
519
CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.