OP here - I'm hoping by posting a forum thread explicitly stating their current behaviour is broken and providing a link to the spec that they are violating will allow Amazon to accept they have an issue and hopefully fix it.
There are so many threads on CORS around StackOverflow and the AWS forums and users tend to assume they've got something wrong in their configuration, or blame the browsers for returning a cached response that they are completely entitled to do. "Solutions" are always given to ensure all requests are cross origin (such as by `<img crossorigin ...`) or cache-busting with a query parameter.
S3's CORS implementation came out in 2012 and has never managed to get this right as far as I can tell. They did add a `Vary: Origin` header to their CORS responses in April 2013 - https://forums.aws.amazon.com/thread.jspa?threadID=103402&st... - but still now over 8 years later their non-CORS responses don't have this header.
(Replying to PARENT post)
There are so many threads on CORS around StackOverflow and the AWS forums and users tend to assume they've got something wrong in their configuration, or blame the browsers for returning a cached response that they are completely entitled to do. "Solutions" are always given to ensure all requests are cross origin (such as by `<img crossorigin ...`) or cache-busting with a query parameter.
S3's CORS implementation came out in 2012 and has never managed to get this right as far as I can tell. They did add a `Vary: Origin` header to their CORS responses in April 2013 - https://forums.aws.amazon.com/thread.jspa?threadID=103402&st... - but still now over 8 years later their non-CORS responses don't have this header.