My application is directly accessing the ODS FHIR API from the browser. We have several subdomains for testing. If I make a request e.g.
dev.mydomain.com, and then the same request from
staging.mydomain.com, the second request fails with a CORS error as the
Access-Control-Allow-Origin header in the response is still set to
dev.mydomain.com. However if I make a request for a different ODS code from from
staging.mydomain.com, it’s fine.
It feels like the origin for a request is being cached by the API for specific urls perhaps based on the originating IP address? Is this a deliberate security feature or something unintended?