MiniApps are hosted by the SDKs in WebViews under a certain scheme structure which may be outside the list of secure origins. This may result in some of the API calls to be blocked, especially the ones which require the counterpart servers to understand that the requests are coming from the Rakuten MiniApp environment.
Since CORS is tightly coupled with security, we recommend:
Option #1: Update Your Server’s CORS Policy
This is the preferred solution, if it is possible
for you to make these changes. You should update your server so that the Access-Control-Allow-Origin header will allow the URL used by your MiniApp.
Each MiniApp runs from a unique URL based on the RakutenMini App ID. Currently the Android and iOS platforms each use a different URL for the MiniApp, so you will need to allow the URLs of both. On your server, you can read the 'Origin' header on the request, and if the origin matches one of the MiniApp URLs, then you should attach the appropriate Access-Control-Allow-Origin header in your response.
The following shows the header that should be returned to each platform:
Note: You can find your MiniApp ID in the RAS Portal
Option #2: Use a Proxy Server
It is possible for you to route your requests through a proxy server which is encompassed in their trust/secure zone of their ecosystem when their Rakuten MiniApps need to access external APIs.
Using proxy servers
It is relatively easy to bake out a simple proxy server using cors node package (while making use of bootstrappers like express-generator-typescript and packages like proxy-middleware) which can be then published on a cloud platform of your choice based on your enterprise infrastructure.