I have a userscript that shows release group thumbnails on artist page.

I wanted to make it cleaner by using the CAA release-group API instead of trying to load images directly, as I have been doing for years.

But then I get this CORS error, when my JavaScript, running from MBS, gets redirected to a release index.json from a release-group API endpoint:

Access to XMLHttpRequest at 'https://ia801607.us.archive.org/3/items/mbid-3163de29-d892-4f7c-85a7-2af152732fe5/index.json' (redirected from 'https://coverartarchive.org/release-group/c694baf5-cdb3-4a08-98fd-82b3917cff75') from origin 'https://musicbrainz.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I found CAA-4 which shows that full CORS (not only from MBS) is allowed for images and for release/index.json.

But something seems to be needed for the release-group API to run properly when called from MBS.