Thank you for reaching out to Constant Contact API Developer Support.
While our expertise is with our API itself as opposed to its implementation within any particular programming language, we are happy to answer any questions pertaining to Constant Contact’s API endpoints, functionality, and documentation.
You can bypass cross-domain request issues by using the Authorization Code Flow instead and making your calls directly from the server, which securely stores your client secret.
OAuth2 Authorization Code Flow
However, if you do want to continue using the PKCE flow from the client-side, please note that when making requests to the /authorize endpoint, the browser (user agent) should be redirected to the endpoint. You can't use AJAX with this endpoint.
Additionally, here are some 3rd party* resources I found that may provide some additional insight:
[3rd party* reference:] Cross-Origin Resource Sharing (CORS)
[3rd party* forum post:] “CORS error when posting to /oauth2/token”
[3rd party* forum post:] “Authorization Code Grant blocked by CORS policy”
(*We can't specifically recommend or express preference in regards to third party integrations, plugins, services, or resources, as they are not built or supported by Constant Contact, so all/any 3rd party resources referenced within this communication are meant to be used expressly for the purpose of providing examples to better illustrate proposed solutions.)
Please have a look and let us know if you have any other questions!
... View more