CORS error on va.tawk.to/log-performance/v3 — No Access-Control-Allow-Origin (widget works, console error persists)

Summary: The chat widget loads and works, but the browser console logs a repeated CORS error from a Tawk telemetry endpoint.

Console error (screenshot below):
Access to fetch at 'https:/va.tawk.to/log-performance/v3' from origin '<my-domain>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
POST https:/va.tawk.to/log-performance/v3 net::ERR_FAILED

Environment: Static site on Cloudflare. Widget loaded via the standard embed.tawk.to script (no crossorigin attribute). The widget initializes fine (Tawk_API present, bubble + chat work).

Already verified:

  • My domain is already added/whitelisted in the Tawk dashboard (Property Settings → domains), yet the error still occurs.
  • Referrer-Policy: strict-origin-when-cross-origin is set.
  • CSP whitelists all Tawk domains from help.tawk.to (*.tawk.to, wss:/*.tawk.to, cdn.jsdelivr.net, tawk.link, s3.amazonaws.com, fonts.googleapis.com, fonts.gstatic.com). va.tawk.to is allowed via *.tawk.to, so it is NOT blocked by my CSP.
  • The va.tawk.to/log-performance/v3 response itself returns no Access-Control-Allow-Origin header on the preflight (server-side on Tawk’s end).

Questions:

  1. Is this a known issue with the log-performance telemetry endpoint not returning CORS headers?
  2. Since my domain is already whitelisted, is this a server-side fix needed on your end?
  3. Is it safe to ignore (does it affect any chat functionality)?

Happy to share my Property/Widget ID privately. Thanks!

Hi @dkkd,

Thank you for reaching out to us.

Could you please share your website URL so our team can take a closer look and investigate the issue? If you prefer not to post it publicly, feel free to send it to us via direct message instead.

We appreciate your cooperation and look forward to assisting you further.

Hi,

This is not an issue as it is an intentional Web Application Firewall put in place by tawk.to staff to prevent unauthorized access.

This error is the result of intentional security measures by tawk.to and can be safely ignored.

Let me know if there is anything else.

Best regards,

1 Like

@Ralph We are experiencing the same error on our website. I don’t like to ignore errors (even safely :wink: and frankly I don’t understand this:

Can you please elaborate why you put a reference to va.tawk.to/log-performance/v3 into your script code and then intentionally block it in WAF? Would it not make more sense to remove the reference from your script code instead?

Best regards
Alex

It makes my PSI score drop from 100 to 96. It doesn’t really matter, but it still annoys me.


I’ve currently implemented a workaround that only loads Tawk.to after user interaction. Because of that, PageSpeed Insights still shows a score of 100. However, when auditing in a real Chrome session as a visitor, the Best Practices score drops from 100 to 96.
doanhnghiep360[dot]com

Hi,

Thank you for providing the details.

I will forward this information to our team for further investigation. We will review the issue and get back to you as soon as we have any updates or additional information to share.

Thank you for your patience and understanding.

1 Like

@weinfurore @dkkd
Our developers confirmed that va.tawk.to/log-performance/v3 has been removed.

Let me know if any issues persist.

Thank you, the errors are gone now.

1 Like