Quick answer: Construct 3 game embedded via WebView2 throwing CORS errors when fetching JSON or loading an iframe? The remote server isn’t sending CORS headers permitting your origin.
An online leaderboard fetch fails with “CORS policy: No ‘Access-Control-Allow-Origin’ header”. The leaderboard server rejects the game’s origin.
Server-Side Header
Server must respond with Access-Control-Allow-Origin: https://yourgame.com (or * for fully public). No header = blocked. Browser-only enforcement; doesn’t help in native builds without this.
Preflight Handling
Non-simple requests (POST with JSON body) send an OPTIONS preflight. The server must respond with allowed methods, headers, and origin. Missing preflight = blocked even with allow-origin set on the actual response.
Same-Origin Embedding
For iframes, the host page must use a Content-Security-Policy that allows the embedded frame. frame-src 'self' https://embed.example.com.
Proxy as Fallback
If you can’t change the remote server, proxy through your own server: game fetches your server, server fetches the remote, your server sends correct CORS headers.
Verifying
Network tab shows successful 200 responses with appropriate Access-Control-Allow-Origin headers. Game reads data without console CORS errors.
“CORS is server-side. Set headers on the remote, or proxy through your own.”
Document the CORS requirements in your game’s integration guide — partners hosting embeds will hit this immediately otherwise.