Users encounter the following error in a Salesforce Visualforce page:
"XMLHttpRequest cannot load, No 'Access-Control-Allow-Origin' header is present"
This is a CORS (Cross-Origin Resource Sharing) error. CORS is a browser security mechanism that blocks web pages from making requests to a different domain than the one that served the page.
In Salesforce, this error occurs when a Visualforce page is embedded in a standard page layout for a custom object and makes polling requests to check whether a background process is complete. The Visualforce page is loaded from one Salesforce domain (for example, <REDACTED>) but the polling request is sent to a different Salesforce subdomain (c.na14.visual.force.com`). Because these are different domains, the browser's CORS policy blocks the request.
This article describes how to resolve the CORS error using Salesforce's built-in HTTP(S) Proxy.
Salesforce provides a built-in HTTP(S) Proxy that allows Visualforce pages to make cross-domain requests through a single Salesforce-controlled endpoint, which bypasses the browser's CORS restriction.
To enable the proxy, first add your Salesforce instance as a Remote Site:
Click New Remote Site and add your Salesforce instance URL (for example, `). Ensure the HTTPS version is used.
See: Configure Remote Site Settings for full configuration steps.
After enabling the Remote Site, update your Visualforce page's AJAX request URL to route through the Salesforce HTTP Proxy endpoint instead of calling the external domain directly. Set the request URL to:
`<REDACTED>
This routes the request through Salesforce's proxy service, which handles the cross-domain request on behalf of the Visualforce page.
Note: If the Experience Cloud or Salesforce site associated with the Visualforce page is inactive, the CORS error is expected behavior. Ensure the site is active before troubleshooting further.
000386868

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.