CORS error when making API v2 requests

Before submitting a topic, please confirm the following

I have searched for similar issues before creating this topic.
I have verified that my repository is using the Codecov GitHub app, if using GitHub
I have validated my codecov.yaml configuration file.
I have filled out the below sections to the best of my ability.
I understand that the community boards are a free, best-effort tool. While we hope to have someone on the Codecov team resolve your problem quickly, this is not always possible.


I’m migrating Reviewable to use Codecov’s API v2, for the benefit of our mutual customers. I can get the information we need via the Commit detail API call, but when I try to make this request from the browser it refuses to let me see the response due to a CORS error. These are unauthenticated GET requests for public coverage results, not subject to preflight.

Could you please set an appropriate Access-Control-Allow-Origin header on API v2 responses? Either * or something fancier would be fine. Thanks.

Expected Results

The API response is available to our app.

Actual Results

Access to XMLHttpRequest at '' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Hello Codecov team,

Please address this problem ASAP because it blocks us from using the API too.

@pkaminski @outofforest I’ll sync with the product team tomorrow to see what we can do here.

@pkaminski can you go into a little more into how you are calling the API in browser?

I’m assuming you mean hitting something like I’m trying to reproduce this issue.

Yep, precisely. We just try to GET the URL above using XMLHttpRequest (technically via axios, but the error originates in the browser, not the library). You can observe it in production by visiting Reviewable - GitHub Code Reviews Done Right and looking at the console and network tab in the dev tools.

@pkaminski thanks for the details there. We are working on a workaround to allow API usage via Reviewable and to make sure we’re not opening any security issues for you as a user.