It seems that Google changed (or removed) the Access-Control-Allow-Origin header of documents recently. I used to get a document's meta info via the JS Google Drive SDK and then fetch the HTML content via jQuery using the provided export link and access token. This is not working any more.

I ended up implementing a web proxy in my application to which I pass the export link and access token.

In Rails (using the HTTParty gem) the controller action looks like this:

def get_google_doc
  response = HTTParty.get(
      params[:export_link],
      { headers: { 'Authorization' => 'Bearer ' + params[:access_token] } }
  )
  render(text: response.parsed_response)
end

And the JS request like this:

var request = jQuery.ajax({
    "url": "/get_google_doc",
    "type": "GET",
    "dataType": "html",
    "data": {
        "export_link": htmlExportLink,
        "access_token": accessToken
    }
});

You'll find more info on the topic here:

• jQuery - How to remove cross domain limitation
• Ways to circumvent the same-origin policy

@dsager provides a very good response and I believe, in many cases, his response will be the best fit solution for many individuals encountering this problem.

If anyone out there is using Flask/Python and doesn't want to bother with backend code, here's @dsager's backend solution adopted for Flask/Python (note that it uses the requests module):

import requests

@app.route('/get_google_doc', methods=['POST'])
def get_google_item():
  if (not request.json or not 'export_link' in request.json or not 'access_token' in request.json):
    abort(400)

  headers = { 'Authorization' : 'Bearer %s' % request.json['access_token'] }
  r = requests.get(request.json['export_link'], headers=headers)

  return jsonify({'status': 200, 'success': True, 'content': r.content})