# Access to fetch at 'https://myfuncapp.azurewebsites.net/api/endpoint' from origin 'https://myapp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. - **ID:** `cloud/azure-function-app-cors-origin-not-allowed` - **Domain:** cloud - **Category:** config_error - **Verification:** ai_generated - **Fix Rate:** 85% ## Root Cause Azure Function App's CORS configuration does not include the requesting origin, or the function app uses an API Management layer that strips CORS headers. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Azure Functions Runtime 4.x | active | — | — | | Azure API Management 2022-09-01-preview | active | — | — | ## Workarounds 1. **In the Azure Portal, go to the Function App -> CORS -> add the allowed origin (e.g., https://myapp.com) in the allowed origins list. Ensure 'Enable Access-Control-Allow-Credentials' is unchecked if using wildcards.** (90% success) ``` In the Azure Portal, go to the Function App -> CORS -> add the allowed origin (e.g., https://myapp.com) in the allowed origins list. Ensure 'Enable Access-Control-Allow-Credentials' is unchecked if using wildcards. ``` 2. **If using Azure API Management, configure CORS policy at the API level: add a policy with element containing the origin URL.** (85% success) ``` If using Azure API Management, configure CORS policy at the API level: add a policy with element containing the origin URL. ``` 3. **Example code for manual CORS handling in a Python function: response = func.HttpResponse(body=..., status_code=200, headers={'Access-Control-Allow-Origin': 'https://myapp.com'})** (75% success) ``` Example code for manual CORS handling in a Python function: response = func.HttpResponse(body=..., status_code=200, headers={'Access-Control-Allow-Origin': 'https://myapp.com'}) ``` ## Dead Ends - **** — Azure Functions' built-in CORS middleware may override custom headers if both are present. (65% fail) - **** — Browsers send a preflight OPTIONS request; if the function does not handle it, the actual request is blocked. (75% fail)