3727369 - Access to fetch at 'https://api-domain/occ/v2/xxx/cms/pages' from origin 'https://spa/domain' has been blocked by CORS policy

Symptom

After changing the API domain from the SAP default domain to a custom domain, the website is not visible. Checking from Dev Tool >> Console can find error messages as below:

Access to fetch at 'https://s1-api.gatesconnect.com.cn/occ/v2/gates-spa/cms/pages?pageType=ContentPage&pageLabelOrId=%2Flogin&lang=zh&curr=CNY' from origin 'https://stg-app.gatesconnect.com.cn' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

In the browser's Developer Tools >> Network tab, the corresponding OPTIONS preflight request or the actual GET/POST request shows a Status Code of 403 Forbidden. And under Preview tab, can see the block page which came from CDN side.

Or using tools like Postman/Bruno to call the same API endpoint directly may also return a 403, often with a CDN (etc. Cloudflare) blocking page like below:

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

SAP Commerce Cloud

Product

SAP Commerce Cloud all versions

Keywords

custom domain, SSL certificate, DNS settings, CORS policy, Angular, SPA, CDN, basesites , KBA , CEC-SPA , SAP Commerce Cloud Spartacus , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.