403 CORS Issue with PowerApps

Hi all,

Thanks in advance for any support. I am having trouble with a CORS issue. We use Microsoft Flow/Powerapps extensively and I’m looking to begin integration with Square by building a custom connector. For initial trials, I’m using the /SearchCustomers path to pull card on file info. When I run the request (either testing in the Custom Connector, or when using Powerapps), I receive a 403 response body of “Received an invalid cross-origin request from origin https://us.create.powerapps.com”.

I am nearly 100% certain that Powerapps/Flow uses server-side processing for calling the request. I have done an extensive amount of reading about this particular issue, but can’t seem to solve it.

Interestingly enough, when I create a generic HTTP request in Flow (without using the Swagger def), I can receive results with no error.

Here is the full response:

“duration”: 396.25,
“size”: 98,
“status”: 403,
“headers”: {
“content-encoding”: “gzip”,
“Content-Length”: 98,
“Content-Type”: “text/plain; charset=utf-8”,
“Date”: “Fri, 07 Aug 2020 18:31:54 GMT”,
“strict-transport-security”: “max-age=631152000; includeSubDomains; preload”,
“vary”: “Origin,Accept-Encoding”,
“x-content-type-options”: “nosniff”,
“x-download-options”: “noopen”,
“x-frame-options”: “SAMEORIGIN”,
“x-permitted-cross-domain-policies”: “none”,
“x-xss-protection”: “1; mode=block”,
“x-ms-client-request-id”: “20aadf0c-53ec-4414-a838-6239cf9cf970”
“body”: “Received an invalid cross-origin request from origin https://us.create.powerapps.com\n”

Thanks again for any assistance!

Sounds like the application (Powerapps/Flow) is providing an Origin header of “https://us.create.powerapps.com/” value. I was able to replicate this by doing a Postman request to SearchCustomers, adding an Origin header with this value as well. I’m not familiar with these products to be able to give you a “solution” per se, but if you were able to figure out how to not include that header, it’s likely the issue would be resolved.