The CORS Header ‘Access-Control-Allow-Origin’ is missing

I’m trying to use webUntis'(docs) API for a school project. For now I’m just trying to establish any kind of connection to the API.

var result;
const url="";
var xhr = new XMLHttpRequest();'GET',url, true);
xhr.setRequestHeader('X-API-KEY', '/*API KEY*/');

xhr.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
        result = xhr.responseType;

This code produces the following error message:

Cross-Origin request blocked: The same origin policy prohibits the
reading of the external resource at
(Reason: CORS Header ‘Access-Control-Allow-Origin’ is missing).

How may this problem be solved? Perhaps my API key is wrong?

Disclaimer: The error message was translated from German.

You are making a request to another site, in this case the API at This type of request is called a “Cross Origin Request”

For such requests to work in JavaScript, the server on their end needs to allow them.

This is done by their server sending special CORS headers, the most basic one being the “Access-Control-Allow-Origin” header.

I guess the API provider has not foreseen or planned for this API to be used from a frontend (e.g. JavaScript in the browser), so you would have to work around this.

One way is to set up your own server and have the JavaScript code make a request to your server and your server then making a request to the API, as server side code is not bound to CORS headers.

Alternatively, to try things out, you can prefix the URL with like this:

const url="";

What is CORS ?

Read More:   In javascript how can we identify whether an object is a Hash or an Array?

from MDN :

Cross-Origin Resource Sharing (CORS) is a mechanism that uses
additional HTTP headers to let a user agent gain permission to access
selected resources from a server on a different origin (domain) than
the site currently in use. A user agent makes a cross-origin HTTP
request when it requests a resource from a different domain, protocol,
or port than the one from which the current document originated.


You need to settings the CORS permission in your server. (

Setting Example :

  1. PHP

    header("Access-Control-Allow-Origin: *");

  2. Rails

    #in config/application.rb
    config.action_dispatch.default_headers = {
    'Access-Control-Allow-Origin' => '*',
    'Access-Control-Request-Method' => %w{GET POST OPTIONS}.join(",")

note: Change * to specific URL that you want to allow CORS. ‘*’ is highly discouraged, unless you are providing a public API that is intended to be accessed by any consumer out there.

It basically means that this API is not configured to be called from another web page. Cross-Origin refers to making an HTTP request from one domain (origin) to another. This API is meant to be used from a server application. If you need to call it from a web page, you’ll need to create a simple proxy server that your web page can call which will make the request to webUntis.

Sending Access-Control-Allow-Origin to the server solves nothing. Server has to send Access-Control-Allow-Origin set to * to your browser to allow ajax requests to run.

The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 .

Similar Posts