Our website includes the v1.js in order to embed a stream.

<script type="module" src=""></script>

This is now failing (I am pretty sure it used to work) due to cors.

~$ curl --verbose
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< Connection: keep-alive
< Content-Length: 17182
< Content-Type: application/x-javascript
< Server: Kestrel
< ETag: "2a27457ea6d1f8d58b91741b83bbf807"
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Release-Type: release
< Accept-Ranges: bytes
< Date: Wed, 27 Oct 2021 00:00:32 GMT
< Via: 1.1 varnish
< Age: 40
< X-Served-By: cache-iad-kiad7000110-IAD
< X-Cache: HIT
< X-Cache-Hits: 1
< X-Timer: S1635292833.826972,VS0,VE1
< Vary: Access-Control-Request-Headers, Access-Control-Request-Method, Origin, Accept-Encoding
< Strict-Transport-Security: max-age=300

My understanding is that this URL “” should return -at least- the “Access-Control-Allow-Origin” header, with provided origin or *.

Am I missing something?

Link to broken webpage please

Still a prototype, I can’t disclose a link in a public forum. Will send as MP.

Then sounds like your problem might be the lack of SSL or a “unsupported local host” scenario.

Removing the type=module seems to fix the issue. Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.