CORS policy error when trying to run Databricks API from a browser-based application

Implement a server-server communication model.

Written by srihasa.akepati

Last published at: December 20th, 2024

Problem

When attempting to run Databricks APIs from a browser-based web application, you see a CORS (cross-origin resource sharing) policy error. 

 

Error : Access to fetch at 'https://dbc-xxxxx-xxx.cloud.databricks.com/api/2.0/sql/statements/' from origin 'https:/<web-domain>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. Understand this error
zone-evergreen.js:1068
POST https:/dbc-xxxxx-xxx.cloud.databricks.com/api/2.0/sql/statements/ net::ERR_FAILED

 

Cause

CORS is a security mechanism web browsers implement to restrict web pages from making requests to a different domain (such as databricks.com) than the one serving the web page. 

Databricks does not allow CORS on most HTTP endpoints for security reasons.

 

Solution

Set up a backend server to sit between your browser application and the Databricks control plane, to handle communication with the Databricks control plane. 

  • Ensure the backend server has the same domain as the browser application. 
  • Implement OAuth machine-to-machine (M2M) authentication for secure communication. Obtain an OAuth token from Databricks and use it to authenticate API requests.
  • Use any server-side technology, such as Node.js, Python (Flask or Django), Go, or other backend frameworks you prefer.
  • Ensure that all requests from the web application are proxied through the backend server. The backend server will handle the OAuth authentication. 

 

For more information on OAuth M2M, review the Authenticate access to Databricks with a service principal using OAuth (OAuth M2M) (AWSAzureGCP) documentation.