Web API Requests

xlwings Lite runs Python in the browser, which means that any API requests you make are subject to the same security constraints that apply to browser-based applications.

For security reasons, browsers only allow you to make requests to the same origin, i.e., domain, where your application is hosted, unless the server explicitly allows it by setting CORS (Cross-Origin Resource Sharing) headers in its response (like Access-Control-Allow-Origin).

Here’s what this means:

• Public APIs such as GitHub often set the CORS headers. So the following will work:

  import pandas as pd
  
  df = pd.read_csv(
      "https://raw.githubusercontent.com/mwaskom/seaborn-data/master/penguins.csv"
  )
  

• If your API request fails with CORS errors and you control the server you’re trying to access, configure it to add the following header to responses:

  Access-Control-Allow-Origin: https://addin.xlwings.org
  

  If you’re self-hosting the xlwings Lite add-in, use your own domain instead.

• If your API request fails with CORS errors and you don’t control the server, you can use a CORS proxy. This is a backend server that forwards your requests to the target API and adds the required CORS headers to the responses. While commercial proxy services exist, for security and data privacy reasons, it’s recommended to host your own CORS proxy rather than sending potentially sensitive data through third-party servers.