Answered

activities/xxx/streams - CORS problem when fetching from browser

Forum|Forum|2 months ago
August 25, 2025
4 replies
225 views

+2

Jan Tauchmann
Hub Rookie

Hi,

I got the following error when trying to fetch from activities/xxx/streams:

Access to fetch at 'https://www.strava.com/api/v3/activities/15565079206/streams?keys=latlng&key_by_type=true' from origin 'https://strava-mapy.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

When debugging in chrome, I can see on “Network tab” no Access-Control-Allow-Origin response header for activities/xxx/streams request:

It seems like a bug. It must have disappeared recently because I remember two weeks ago it worked fine.

I also noticed that other methods work fine - let’s see for example response headers for /activities method:

Could you check it, please? Can you add Access-Control-Allow-Origin back to activities/xxx/streams method?

Thanks a lot,

Jan

Best answer by Jan Tauchmann

Hi,

Yep, I also had to help myself by implementing API method on my backend - proxying the call to /streams API.

But now it seems strava guys resolved this issue - you can probably switch to direct Strava API call from browser.

Access-Control-Allow-Origin response header rose back again :)

M

mike04
Hub Starter
Forum|Forum|2 months ago
August 26, 2025

i have the same problem. it was ok last week

Like

F

+1

FR_Support_Team
Hub Starter
Forum|Forum|2 months ago
August 26, 2025

This issue occurs from the 21th August for our iOS mobile users only : our Mobile app uses an embeded webview.

IOS WkWebview cors origin : "ionic://localhost" fails (didn't fail before 21/8)

Android / Browser CORS origin : http://localhost:XX still works

It sounds like CORS response header depends on the CORS origin header (new regex rule ?)..

Like

F

+1

FR_Support_Team
Hub Starter
Forum|Forum|2 months ago
August 27, 2025

Hi,

We encounter the same issue on our mobile app with an embedded webview (ionic) but only for iOS users. It suddenly appeared on 8/21

The issue seems to depend on the CORS origin scheme / protocol. For Android webviews or browsers, when origin = “http://localhost:XXXX”, the issue does not occur.

But on iOS WKWebview (with origin = ionic://localhost), the issue occurs after 8/21 (no more CORS response header “Access-Control-Allow-Origin” returned)

We just resolved the issue by implementing a new endpoint on our backend server so our mobile app embedded webview does not require to call directly the activity/stream API. This stuff is now delegated to the backend endpoint which can return CORS header as expected.

Sounds like Strava servers (for activity/stream API) now rely on some kind of regex rule to allow CORS header according to request origin ...