Our API server implements CORS where we whitelist particular Origin headers. GraphiQL App is sending an origin of null which means we can't whitelist this application in particular.

Each time I work on our API I just have to disable CORS and it would be nice if GraphiQL App at least provided something here.