1

I have a Flask app on Render.com serving index.html, styles.css, and main.js from https://custom-va-template.onrender.com. My frontend at https://solixa.ai uses fetch("https://custom-va-template.onrender.com/index.html") to inject the chatbot HTML. The browser blocks that call with:

No 'Access-Control-Allow-Origin' header is present on the requested resource.

Yet loading /styles.css or /main.js via <link>/<script> works fine (they return Access-Control-Allow-Origin: *). A curl -I -H "Origin: https://solixa.ai" to /index.html shows no CORS header, while the same curl to /main.js does show it.

  1. Flask-CORS config

    from flask import Flask, send_from_directory, request, make_response
from flask_cors import CORS
import os

app = Flask(__name__)
CORS(app, resources={r"/*": {"origins": "*"}}, send_wildcard=True, always_send=True)

UI_ASSETS_DIR = os.path.join(os.path.dirname(__file__), "..", "frontend")

@app.route('/index.html', methods=['GET', 'OPTIONS'])
def serve_index():
    origin = request.headers.get("Origin")
    if request.method == "OPTIONS":
        resp = make_response('', 204)
        if origin:
            resp.headers['Access-Control-Allow-Origin'] = origin
            resp.headers['Access-Control-Allow-Methods'] = 'GET, OPTIONS'
            resp.headers['Access-Control-Allow-Headers'] = 'Content-Type'
            resp.headers['Vary'] = 'Origin'
        return resp
    resp = make_response(send_from_directory(UI_ASSETS_DIR, 'index.html'))
    if origin:
        resp.headers['Access-Control-Allow-Origin'] = origin
        resp.headers['Vary'] = 'Origin'
    return resp

    I expected curl -I -H "Origin: https://solixa.ai" https://custom-va-template.onrender.com/index.html to return Access-Control-Allow-Origin: https://solixa.ai. Instead, it returns no CORS header.

  2. After-request hook I added an @app.after_request to force ACAO on every response, but /index.html still comes back without it.

  3. Clearing cache & cache-busting I redeployed with Render’s “Clear build cache,” added ?v=12345 to URLs, and switched Cloudflare to DNS-only mode. None of these made /index.html include ACAO.

Expected result: All resources (HTML, CSS, JS) should return Access-Control-Allow-Origin so that the front end’s fetch("/index.html") succeeds. Any idea why HTML alone is missing that header on Render.com?

Improve this question
Related questions
3365
Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
1373
No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
519
CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true
Load 6 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.