CORS Allowlist

Configure CORS Allowlist for games running on the web to restrict where the game can run.

These settings only apply to games running in browser environments. To learn more about CORS, you can read the mdn web docs

For games running in web environments, settings up a CORS allowlist can be benefitial in a few cases:

If your game runs on Unity and uses browser cookies
If you want to restrict which websites your game can run from when using LootLocker

By default, LootLocker will allow traffic to the API from any website. If you add a host to the CORS allowlist, we will instead only allow traffic to the LootLocker API from that website, effectively restricting the game to only be able to run from that website. A website might be your own domain, or a 3rd party service like itch.io.

Unity Considerations

If your Unity game uses any cookies, using the CORS allowlist is a requirement. This is not an issue for the vast majority of Unity games!

When Unity does web requests they ask for the Access-Control-Allow-Credentials CORS permission. This has the side effect of stopping requests to all sources who does not explicitly allow this, if they use cookies. Unfortunately it's not possible to broadly allow this, without opening the game up to security issues.

Because of this, explicitly defining a CORS allowlist is required in this case. The LootLocker API will not function without it.

How to configure the CORS Allowlist

Identify the web hosts where the game should be able to run from
Create a host in the CORS Allowlist Settings Page

PreviousOrganization Settings NextError Codes

Last updated 1 month ago