CORS, S3, Origin headers

Learned something new today: Amazon S3 only serves CORS headers if asked to with an Origin: header in the request.

$ curl --silent -i https://s3.amazonaws.com/metro-extracts.mapzen.com/cities.json | head -20
HTTP/1.1 200 OK
x-amz-id-2: d3m01CEUWtx5ZNomSKLJHFihaigT/YZr5B2hY0bpi+KTWvfFWmapxZlEH72yl+v1
x-amz-request-id: 613AC95DCE686F29
Date: Sun, 11 May 2014 23:42:51 GMT
Last-Modified: Sat, 10 May 2014 00:49:14 GMT
ETag: "db184f33f4774a213ff4eb6428ba243c"
Accept-Ranges: bytes
Content-Type:
Content-Length: 56589
Server: AmazonS3

$ curl --silent -H "Origin: http://some.url.com" -i https://s3.amazonaws.com/metro-extracts.mapzen.com/cities.json | head -20
HTTP/1.1 200 OK
x-amz-id-2: 9JqpSl5SOftwRTeIa2b91V+drB1WwM8QySWftj55vSy+cvdQ8RNuRWoceeZW3Gho
x-amz-request-id: 2327BBA990C7F483
Date: Sun, 11 May 2014 23:43:32 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 3000
Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
Last-Modified: Sat, 10 May 2014 00:49:14 GMT
ETag: "db184f33f4774a213ff4eb6428ba243c"
Accept-Ranges: bytes
Content-Type:
Content-Length: 56589
Server: AmazonS3