Issue
Enabling CORS in Drupal 8 (See D.O: Opt-in CORS Support) within Acquia Cloud may sometimes serve a request that lacks the proper headers, because of a bug in core triggered by the asm89/stack-cors component, which is not sending a Vary: Origin header on all responses.
This can result in requests to Drupal missing one or more of these headers:
- Access-Control-Allow-Origin
Affected Applications/Limitations
This affects any Drupal 8 responses which should are cacheable once you enable CORS support in the site.
Resolution
Consult the known Drupal.org issue at [#3001809} CORS breaks with cache proxies and same origin usage which is in progress at the time of writing, which includes a patch.