Auth0 Home Blog Docs

Incorrect error message when disabling legacy lock? (CORS)


When trying to disable the legacy lock API we see the following output in logs:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a “Origin” error has been logged before this warning, please add “http://localhost:8080” to the “Allowed Origins (CORS)” list in the Auth0 dashboard: …

The http://localhost:8080 domain is definitely within the textarea next to the Allowed Origins (CORS) option.

I’m wondering if this is a problem with the error message, or if there is some way that we can further debug this?


I had same issue and this fixed it - basically, use webAuth.passwordlessLogin instead of webAuth.passwordlessVerify. Not sure if it applies in your case.

From message by @kim.noel:

" @vantechstudio were you able to solve your issue? For others seeing this, we should be able to use webAuth.passwordlessLogin instead of webAuth.passwordlessVerify and that should fix this issue moving forward."


Thanks. Seems we’re using the lock.js APIs though, which should already leverage passwordlessLogin under the hood?


One thing was in my case I was directly calling passwordlessVerify instead of passwordlessLogin. From that code it looks like it should not have mattered, so I’ll need to check again to see where I was in the troubleshooting process when it helped. I seem to remember that it was the last thing that finally got it all going again.

Also - as for the CORS stuff, does the textbox you’re referring to gave the label “Allowed Web Origins”?