I am working on an app that geocodes things using OpenStreetMap. If I run my app.geocode function in the console it works perfectly. If I fire the same function when I click a button on a form I get the following notification in the console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://nominatim.openstreetmap.org/search?q=Toronto&format=json. This can be fixed by moving the resource to the same domain or enabling CORS.
Nominatim is returning the appropriate access-control-allow-origin: '*' header...
Can someone explain why these seem to be handled differently? How can I fix this, given that the server is already sending the proper CORS header?
Browser "chrome" components (add ons, plug ins, developer console, or whatever else that is part of your browser and lives on your computer) aren't subject to the same origin policy. Web documents and scripts that are loaded from remote servers are subject to it. Plugins aren't subject to a lot of constraints that scripts in pages are and that means you need to have a high level of trust in plugins that you add to your browser.