AndreGrandberry
commented
4 months ago I'm having the same issue. I just submitted an issue myself. Have you found a solution. I'm building my app with NodeJs and React, so all of the workarounds I've heard about don't seem feasible for me. Plus I'm on a strict deadline to finish my project and this is holding me up.
I’ve noticed that some Bungie.net resources (e.g. manifest JSONs, images) often have the header access-control-allow-origin: https://www.bungie.net/ which prevents them from being loaded by DIM or other third-party sites. I believe this header is being set conditionally, and CloudFlare is caching one version and serving it to others. We have a workaround for the manifest (we retry with a “cache buster” query param, which isn’t great but it works), but for images we don’t. That wouldn’t be a problem normally but we’re trying to enable Cross-Origin-Embedder-Policy: require-corp which would expect all images to be CORS-enabled. Switching to unconditionally returning access-control-allow-origin: * for all static assets would be a big help.