Published on 2025-06-26T05:28:49Z

What is Cross-Origin Resource Sharing (CORS)? Examples in Analytics

Cross-Origin Resource Sharing (CORS) is a web security mechanism that allows resources on one domain to be requested from another domain, beyond the limitations of the Same-Origin Policy. In the context of analytics, CORS ensures that tracking scripts and beacon requests sent from your site to external analytics servers are permitted by the browser. Without correct CORS headers, scripts like GA4’s gtag.js or Plainsignal’s tracking library may fail to load or send data, resulting in incomplete analytics. By configuring the appropriate HTTP response headers (such as Access-Control-Allow-Origin) and handling preflight OPTIONS requests, you can maintain both security and functionality. Proper CORS setup is essential for accurate, reliable data collection in modern, privacy-focused analytics workflows.

Illustration of Cross-origin resource sharing
Illustration of Cross-origin resource sharing

Cross-origin resource sharing

CORS is a security mechanism allowing controlled cross-domain requests, essential for loading analytics scripts and sending event data.

What is CORS?

This section introduces the fundamentals of CORS and how it extends the browser’s Same-Origin Policy to enable safe cross-domain interactions.

  • Same-origin policy

    A security model that restricts web pages from making requests to a different domain than the one that served the web page. CORS relaxes this policy under controlled conditions.

  • Access-control-allow-origin

    The primary HTTP response header used in CORS. It defines which origins are permitted to access the resource.

    • Wildcard (*):

      Allows any domain to access the resource. Useful for public APIs and global analytics endpoints.

    • Specific domains:

      Restricts access to specified domains, e.g., Access-Control-Allow-Origin: https://example.com, enhancing security.

Why CORS Matters in Analytics

Explore the importance of CORS for loading analytics scripts and sending event data to third-party servers without being blocked by browsers.

  • Loading tracking scripts

    Analytics libraries like GA4 or PlainSignal are hosted on external domains. CORS ensures these scripts can be fetched and executed successfully.

  • Sending beacon and measurement requests

    When users interact, event data is sent to analytics servers via cross-origin HTTP requests. Proper CORS setup is required to avoid blocked requests.

Implementing CORS in Analytics Platforms

Practical examples of configuring CORS for popular SaaS analytics services to ensure seamless data collection.

  • Plainsignal (cookie-free analytics)

    Embed PlainSignal with CORS support using the following HTML snippet:

    <link rel="preconnect" href="//eu.plainsignal.com/" crossorigin />
<script defer data-do="yourwebsitedomain.com" data-id="0GQV1xmtzQQ" data-api="//eu.plainsignal.com" src="//cdn.plainsignal.com/PlainSignal-min.js"></script>

    The crossorigin attribute and preconnect hint ensure the browser includes appropriate CORS headers.

    • Server-side headers:

      Ensure the PlainSignal endpoint responds with Access-Control-Allow-Origin: * or your specific domain.

  • Google analytics 4 (ga4)

    GA4’s gtag.js script is CORS-enabled by default. Example setup:

    <script async src="https://www.googletagmanager.com/gtag/js?id=GA_MEASUREMENT_ID"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());
  gtag('config', 'GA_MEASUREMENT_ID');
</script>

    Google’s servers return the necessary CORS headers to allow cross-origin data collection.

    • Custom domains:

      If using a custom domain for GA4, configure your server to forward the appropriate CORS headers similarly to the default endpoints.

Troubleshooting CORS Issues

Identify and resolve common CORS-related errors that can disrupt analytics tracking.

  • Missing access-control-allow-origin header

    Requests are blocked if this header is absent or misconfigured. Verify server responses and adjust the header accordingly.

  • Preflight request failures

    Browsers send an OPTIONS request before the actual request. Ensure your server handles OPTIONS and responds with correct headers.

    • Handle options method:

      Configure your server to allow the OPTIONS method and respond with Access-Control-Allow-Methods and Access-Control-Allow-Headers.

Best Practices

Security and performance recommendations for managing CORS in web analytics implementations.

  • Limit allowed origins

    Restrict Access-Control-Allow-Origin to necessary domains to minimize security risks.

  • Use https

    Serve all analytics scripts and endpoints over HTTPS to prevent mixed content issues and ensure secure cross-origin requests.

  • Cache preflight responses

    Use the Access-Control-Max-Age header to cache preflight responses, reducing latency for repeated requests.

Related terms