[Hidden-tech] Problems with AWS API and CORS

[Jeff Brand]

The documentation around CORS is wildly complex. The short version:

Certain types of page elements require "permission" from the third party resource (the XHR target) in order to use their data. The page on which the script is called/referenced is the Origin. The fix is to add the header to the API response, either within the code or within the API endpoint handler (if that's an option - I don't recall.)

Access-Control-Allow-Origin: *

The browser sees the header when making the XHR request and knows that the answer is * = Anybody. This is all that's needed for the remote resource (your API) to "grant" access to the origin (the page being rendered by your browser, hosted at the S3 domain.)

If you would like to whitelist a specific domain then you could respond with that domain instead of *. Allowing a limited but set of multiple domains would require a little more dev.