When making calls to a contentservice script I always have sent a callback for JSONP. Since GAS does not support CORS this is the only reliable way to ensure your app doesn't break when x-domain issues arrive.

在调用 contentservice 脚本时，我总是为 JSONP 发送回调。由于 GAS 不支持 CORS，这是确保您的应用程序在 x 域问题到来时不会中断的唯一可靠方法。

Making a call in jQuery just add "&callback=?". It will figure everything else out.

在 jQuery 中进行调用只需添加“&callback=?”。它会弄清楚其他一切。

 var url = "https://script.google.com/macros/s/{YourProjectId}/exec?offset="+offset+"&baseDate="+baseDate+"&callback=?";
 $.getJSON( url,function( returnValue ){...});

On the server side

在服务器端

function doGet(e){
 var callback = e.parameter.callback;
 //do stuff ...
 return ContentService.createTextOutput(callback+'('+ JSON.stringify(returnValue)+')').setMimeType(ContentService.MimeType.JAVASCRIPT);
}

I've lost a couple of hours with the same issue. The solution was trivial.

我已经因为同样的问题失去了几个小时。解决方法很简单。

When you deploy the script as webapp, you get two URLs: the /devone and the /execone. You should use /execone to make cross domain POST requests. The /devone is always private: it requires to be authorized and doesn't set *Allow-Origin header.

当您将脚本部署为 webapp 时，您将获得两个 URL：/dev一个和/exec一个。您应该使用/exec一个来进行跨域 POST 请求。在/dev一个总是私人的：它需要被授权和没有设置*允许来源头。

PS.: The /execone seems to be frozen — it doesn't reflect any changes of code until you manually deploy it with a new version string (dropdown list in deploy dialog). To debug the most recent version of the script with the /devURL just install an alternative browser and disable it's web-security features (--disable-web-securityin GoogleChrome).

PS.：那个/exec似乎被冻结了——它不会反映任何代码更改，直到您使用新版本字符串手动部署它（部署对话框中的下拉列表）。要使用/devURL调试最新版本的脚本，只需安装替代浏览器并禁用其网络安全功能（GoogleChrome 中的--disable-web-security）。

Just to make it simpler for those who are only interested in a POST request like me:

只是为了让像我这样只对 POST 请求感兴趣的人更简单：

function doPost(e){

 //do stuff ...

 var MyResponse = "It Works!";

 return ContentService.createTextOutput(MyResponse).setMimeType(ContentService.MimeType.JAVASCRIPT);

}

I stumbled upon the same issue:

我偶然发现了同样的问题：

• calling /exec-urls from the browser went fine when running a webpage on localhost
• throws crossorigin-error when called from a https-domain

• /exec在本地主机上运行网页时，从浏览器调用-urls 很顺利
• 从 https 域调用时抛出跨域错误

I was trying to avoid refactoring my POST JSON-clientcode into JSONP (I was skeptical, since things always worked before).

我试图避免将我的 POST JSON-clientcode 重构为 JSONP（我持怀疑态度，因为以前总是有效的）。

Possible Fix #1

可能的修复 #1

Luckily, afterI did one non-CORS request (fetch()in the browser from a https-domain, using mode: no-cors), the usual CORS-requests worked fine again.

幸运的是，在我做了一个非 CORS 请求（fetch()在来自 https 域的浏览器中，使用mode: no-cors）之后，通常的 CORS 请求再次正常工作。

last thoughts

最后的想法

A last explanation might be: every new appscript-deployment needs a bit of time/usage before its configuration actually settled down at server-level.

最后一个解释可能是：每个新的 appscript-deployment 在其配置实际稳定在服务器级别之前都需要一些时间/使用。

My case is different, I'm facing the CORS error in a very weird way.

我的情况不同，我以一种非常奇怪的方式面对 CORS 错误。

My code works normally and no CORS errors, only until I added a constant:

我的代码工作正常，没有 CORS 错误，直到我添加了一个常量：

const MY_CONST = "...";

It seems that Google Apps Script (GAS) won't allow 'const' keyword, GAS is based on ES3 or before ES5 or that kind of thing. The error on 'const' redirect to an error page URL with no CORS.

似乎 Google Apps Script (GAS) 不允许使用 'const' 关键字，GAS 是基于 ES3 或之前 ES5 之类的。“const”上的错误重定向到没有 CORS 的错误页面 URL。

Reference:
https://stackoverflow.com/a/54413892/5581893

参考：https:
//stackoverflow.com/a/54413892/5581893