Home > OS >  Firestore: Fetch API cannot load... due to access control checks
Firestore: Fetch API cannot load... due to access control checks

Time:11-18

Getting this error on mobile safari:

Fetch API cannot load https://firestore.googleapis.com/google.firestore.v1.Firestore/Write/channel?gsessionid=&database=&RID=&AID&TYPE=xmlhttp&zx=&t=1 due to access control checks.

(I stripped out some of the param values)

The app is working though, and the domain is whitelisted in the firestore settings. But I want to resolve this error anyway.

It's not a db rules issue, because those throw specific issues. I opened all the documents anyway to check, but this error persisted:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

Search results for this error generally refer to cors issues, but doesn't make sense for this case. Any ideas appreciated...

"firebase": "^9.10.0"

CodePudding user response:

if I'm not mistaken, firestore can't be used if the user isn't logged in, maybe you should add a login user before doing anything in firestore. and in firestore rules add this. [CMIIW]

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
     allow read, write: if request.auth != null;
    }
  }

CodePudding user response:

The error mentioned seems to be due to CORS issues .You should also check if the header Access-Control-Allow-Origin is set on both the server side and client side.
Also as stated here try to compare the actual requests made by Safari to the successful requests done to spot possible missing Headers as well (and maybe compare them to your server configuration as well).
This kind of implementation was previously achieved using XMLHttpRequest. As “Fetch” provides a better alternative that can be easily used by other technologies such as Service Workers. Fetch also provides a single logical place to define other HTTP-related concepts such as CORS and extensions to HTTP.
A core security principle of the web is: loading resources from other domains is disallowed by default, unless the server specifically allows it. The error messages also could appear because you are trying to fetch something from a different domain, and the server is not set up to specifically allow it. Read up on Cross-Origin Resource Sharing (CORS) to learn more. Usually it comes down to adding the HTTP header Access-Control-Allow-Origin: * on the response.

See similar example here:

  • Related