CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

Problem and Symptoms

All of a sudden, starting August 5, 2021, the spell checking service stopped working despite the fact that previous it worked properly. There are CORS errors in browser console and failed request observed in network tabs.

Affected products/integrations: WProofreader add-on for RTEs, WProofreader plugin for CKEditor 5, SCAYT and Spell Check Dialog (WSC) plugins for CKEditor 4 untilizing the Cloud version.

Here is an example of an error thrown in the browser console:

Access to XMLHttpRequest at '' 
from origin '' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. 

wscbundle.js?_=1628087864273:40 The WebSpellChecker Service is currently unavailable. 
POST  net::ERR_FAILED

Root cause

Effective August 5, 2021, we introduced the security update/improvement for all cloud services that restrics the access to the service over HTTP. Technically, all the requests to HTTP are redirected to HTTPS. It works properly for static web content and direct API requests but not for API requests originated from other originals which are blocked by cross-origin resource sharing (CORS) policy.

Solution

To solve the issue, the service resources must be loaded via HTTPS. Thus, the updates in the configuration of the service are required. It doesn't mean that you need to change the configuration of your website or web app to HTTPS right away. However, it is highly recommended as a modern best practice to ensure data security, integrity and privacy.

SCAYT plugin for CKEditor 4

If you are using the plugins for CKEditor 4, please add the scayt_srcUrl (for SCAYT) to CKEditor config.js along with the rest settings that will load the plugin resources via HTTPS.

// for SCAYT
config.scayt_srcUrl ='https://svc.webspellchecker.net/spellcheck31/wscbundle/wscbundle.js';

WProofreader add-on for RTEs

In case of WProofreader integration, just load wscbundle.js script over HTTPS.