CORS (Cross-Origin Resource Sharing) is the allowlist of external web origins that can make browser-side JavaScript calls to Salesforce APIs. Without a CORS entry, the browser blocks cross-origin XHR / fetch — even if the API call would otherwise succeed. Required for any external web app calling Salesforce REST APIs from the browser.
- Open Setup → CORS
Setup gear → Quick Find: CORS → CORS.
- Click New
Top-right of the list.
- Set the Origin URL
https://yourapp.com (no trailing slash). Wildcards: https://*.yourapp.com matches all subdomains.
- Save
Origin is now allowed. Browsers will accept Salesforce's CORS preflight from this origin.
- Configure your external app's API calls
From the external app, call Salesforce REST APIs as usual (https://yourorg.my.salesforce.com/services/data/...). Browser fetches now succeed.
- Test with the browser console
Open developer tools → Network tab → confirm CORS preflight (OPTIONS request) succeeds with the right Access-Control-Allow-Origin header.
Specific URL or subdomain wildcard.
https://*.example.com works. Other patterns (path-level wildcards) don't.
- CORS in Salesforce only applies to API endpoints (REST, Connect API, Lightning Out). Setup pages, Visualforce pages, and Lightning components have their own CSP / iframe rules — see Trusted URLs for those.
- CORS doesn't bypass authentication. Even with the origin allowlisted, the browser must still send a valid OAuth access token — CORS only handles the cross-origin preflight.
- Wildcards have specific syntax. https://*.example.com matches subdomains; http:// (non-HTTPS) is not allowed for production. Misconfigured wildcards fail silently.