Hey @cpalm,
Now that I’ve had a couple of minutes to actually think about this, I believe we’re approaching the problem from the wrong side. You need to enable CORS (set the Access-Control-Allow-Origin header) on whatever is hosting your local dev environment, not on Browsersync.
- Your site is running on palmtree.studios.local, served by whatever local dev setup you have running
- You’re loading the site at localhost:3000, served by Browsersync
- The AJAX request from localhost:3000 hits palmtree.studios.local and palmtree.studios.local says “nope, don’t know you”
The cors Browsersync option tells Browsersync to be more relaxed when requests are made to Browsercync itself. You need the opposite: to tell whatever local hosting setup you’re running to relax, so that when Browsersync asks it for stuff it doesn’t get nervous and say no. For obvious reasons, request originators (Browsersync, in this case) can’t tell servers how secure to be.
So, you’ll need to figure out how to enable that header for whatever local dev setup you’re running.