That was in fact it, lack of a subdomain wildcard. I got really confused because I opened one project I thought had this issue, saw the ACAO header was set to *, and thought I hallucinated the whole thing out of some different issue. But it was a different project where I needed to allow internal access, which would have been easy with a hardwired response with a wildcard, but instead I needed to write a whole lambda endpoint just to pull out the requesting host and put it in the ACAO header. Also easy, but what a waste.
Either way, kind of a digression into details of CORS that wasn't necessary for the introductory treatment, so I edited it out.
chuckadams|1 year ago
Either way, kind of a digression into details of CORS that wasn't necessary for the introductory treatment, so I edited it out.