I have a small JS application running on localhost. I am getting an access token through the user-agent flow (this works fine).
I then make an http request to the identity endpoint to get back my user info and this throws a CORS error.
Access to XMLHttpRequest at 'https://test.salesforce.com/services/data/v48.0' from origin 'https://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I have added localhost:3000
under the CORS whitelist in Salesforce but this doesn't do anything.
Best Answer
The Identity URL returned as part of an oauth response is not one of the endpoints that supports CORS whitelisting.
Only the following APIs are supported per CORS whitelisting documentation.