Simulator OK, but Published build fails with CORS (OpenAI + Flask via ngrok)

🧑‍💻 Technical Support
,
1

Dear 8th Wall Staff,
I’m building a small prototype that chains 8th Wall (front-end) → Flask (ngrok tunnel) → OpenAI to generate story text from user-uploaded photos.

1 · Setup in short
[8th Wall Web] ---- fetch (multipart/form-data, POST /upload_image) ----> [ngrok https://niko.ngrok.app] ---- Flask (flask-cors) ----> OpenAI API

  • Front-end: simple A-Frame scene, user chooses an image → fetch() to /upload_image.
  • Back-end: Flask server on localhost :5000, exposed through ngrok http 5000 --domain niko.ngrok.app.
  • CORS: flask_cors.CORS(app, resources={r"/*": {"origins": "*"}}) for now, just to debug.

2 · What works

  • 8th Wall Cloud Editor → Simulator (dev URL *.dev.8thwall.app):
    the request reaches Flask, OpenAI replies, story shows up.

2
21179×2556 283 KB

3 · What fails after “Publish”
  • Staging / Public URL (https://kennychow.8thwall.app/...) shows the UI, but when I press Generate Next Chapter the request is blocked:

Access to fetch at ‘https://niko.ngrok.app/upload_image
from origin ‘https://kennychow.8thwall.app
has been blocked by CORS policy:
Response to preflight request doesn’t pass access control check:
No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

DevTools console also reports net::ERR_FAILED on the OPTIONS preflight.

Simulator uses the exact same ngrok endpoint and works, so I’m guessing this is either:

  1. CSP / External Domains whitelist for published builds
  2. Some extra CORS header 8th Wall adds in production

Fail1
Fail11179×2556 184 KB

Screenshot 2025-05-27 104020
Screenshot 2025-05-27 1040201136×1060 120 KB

4 · Things I’ve tried
  • Added https://*.8thwall.app and https://niko.ngrok.app to origins="*" (just for debug).
  • Couldn’t find Hosting & Domains → External Domains / CSP section in Project Settings (I’m on the free “Basic” workspace).
5 · Questions
  1. For Basic workspaces, is there still a way to whitelist niko.ngrok.app so the published domain can fetch it?
  2. If not, what’s the recommended pattern for calling an external Flask/OpenAI endpoint from a published 8th Wall project?
  3. Any other headers I should add on the Flask side to satisfy the OPTIONS preflight?
    My Project Link:8th.io/vgx3p

Thanks in advance!

2

Can you confirm that you’re seeing the allow all * wildcard in the response headers from your server? It could be that the ngrok tunnel is preventing this configuration and instead you need to use a cloud hosting provider for your server.

3

Thanks for your reply, I will check my ngrok tunnel setting.

4

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.