Requests to Officers API returning CORS Error & 403

sharon_robinson · June 3, 2024, 2:28pm

When we are trying to get the details of officers for a company we get the following

Access to XMLHttpRequest at 'https://api.company-information.service.gov.uk/company/.../officers' from origin '...' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

The ‘companies’ request is returning as expected, but the ‘officers’ call is continually returning the above.

Have there been any changes to the API recently that would affect this? From what we can see there doesn’t appear to be any Access-Control-Allow-Origin response header on the ‘officers’ request.

andrew2 · June 7, 2024, 4:40am

I’ve had a similar problem for months - and just crickets from CH.
https://forum.aws.chdev.org/t/company-officers-api-401-cors-issue/7752/13?u=andrew2
If you want to talk and try and work out what we have in common we might get some leads.

ed.reid · June 10, 2024, 1:11pm

We have also been having this issue from at least April 14th. Companies House have suggested that this may have been triggered by another Change they had implemented on the Officers API but we have not had any further update since.

@MArkWilliams is there any update on this issue as of yet please?

Thanks,
Ed

MArkWilliams · June 24, 2024, 1:20pm

We have now found the issue and are looking at a fix.

BristolJim · July 29, 2024, 11:13am

Hi,

I’m also getting the following from the /company endpoint:

Access to XMLHttpRequest at 'https://api.companieshouse.gov.uk/company/07206291' from origin '...' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I get this via javascript in-browser (Chrome and Firefox tested so far). The preflight request returns 403 Forbidden.

When I run the same via cURL however, it works as expected. e.g.

curl https://api.companieshouse.gov.uk/company/07206291 -H 'Authorization: Basic [api_key]'

It also works when I make the request via Postman.

Requests to the /search/companies endpoint work in-browser as I’d expect. e.g

https://api.companieshouse.gov.uk/search/companies?q=test

This only appears to have started happening for us over the weekend.

@MArkWilliams - Would the issue you have found account for the problems I’m experiencing?

developer4 · July 29, 2024, 12:34pm

We are also experiencing the same issue as BristolJim today.

Trying the same request in Postman is fine, through javascript in-browser we get 403 / COR error.

Is there a current problem with the API endpoints at Companies House?

Update:
@MArkWilliams are you aware of any issues on the “company” endpoint since the update last weekend (Saturday 27th July 2024)?

george.morriss · July 30, 2024, 10:56am

@MArkWilliams We are also experiencing the same issues, this is preventing us from using the API altogether as it cannot pull back any company information.

Is there any update on this?

it13 · July 30, 2024, 3:20pm

We are also getting a CORS error on the /company endpoint. Any update on when it will be fixed or any workarounds in the meantime?

developer4 · August 5, 2024, 9:32am

This is still erroring on the “company” endpoint. It’s been broken for over a week now.

Is there any update if this is being looked into or investigated even if it’s an acknowledgement of the issue?

callum_watkins · August 11, 2024, 6:20pm

@MArkWilliams This issue has now broken my service entirely, first the /officers endpoint starting 4 months ago (!) and now /company. Can you please confirm when you will be releasing a fix?

irvin.alzona · August 12, 2024, 1:55pm

Hi @MArkWilliams ,

I hope you are well. I would like to follow up on this item please. I can see that this is also related to this issue we are monitoring:

Company Officers API 401 CORS Issue - #25 by irvin.alzona

Regards,
Irvin

lee.johnson · August 20, 2024, 9:39am

Hi,

Did you get this fixed, We are having exactly the same problem, work in Postman but not from website, and has been working for years up until 3 weeks ago.

I’m not seeing any help for Companies House team at all!

BristolJim · August 20, 2024, 10:22am

Hi Lee,

I’ve just checked and it’s not fixed.

Jeffrey · August 20, 2024, 11:53am

Confirming this is still an issue on our end as well, rendering our engineers incapable of using the API locally for months. @MArkWilliams can you share any ETA with us as to when we can expect this issue to be resolved?

lee.johnson · August 20, 2024, 1:19pm

I’m getting a 403 (Forbidden) on the preflight OPTIONS request made before the GET request.

I don’t think they have the OPTIONS method in their allowed methods??

callum_watkins · August 27, 2024, 7:30pm

@MArkWilliams Months go by and we hear nothing. Two months ago you said you had found the issue and were looking at a fix. Are you still working on implementing that fix? Please give us some information.

MArkWilliams · August 29, 2024, 11:40am

A fix has now gone in for this issue.
If you are making CORS requests you will need to ensure the api key that you are using has your site in the js_domains array.

callum_watkins · August 30, 2024, 7:19pm

I can confirm that the fix has resolved this issue.

It would be excellent if the team could look at fixing CORS for 429 responses too: CORS headers missing from 429 response

MArkWilliams · September 2, 2024, 11:46am

Thank you for that confirmation. I have also fed back your comment regarding 429 responses.

MArkWilliams · September 3, 2024, 10:30am

Some good news.
The work to fix ‘CORS for 429 responses’ has been given the go ahead.
I have posted an update on that thread.