Following up on this Topic, originally created by @andres . @Daniel_Litvak and I resolved this problem using a CORS policy of the following form:
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"POST",
"GET",
"HEAD",
"PUT"
],
"AllowedOrigins": [
"https://discovery.example.com",
"http://example.com",
"https://apps.example.com",
"http://apps.example.com",
"https://example.com",
"https://studio.example.com",
"http://studio.example.com",
"http://preview.example.com",
"https://preview.example.com",
"http://discovery.example.com"
],
"ExposeHeaders": [
"Access-Control-Allow-Method",
"Access-Control-Allow-Origin",
"Access-Control-Allow-Header"
],
"MaxAgeSeconds": 3000
}
]