CORS on CloudFront with S3 and signed cookies

We're having the good old CORS problem loading video

Access to video at 'https://example.com/video.mp4' from origin   'https://otherwebsite.com' has been blocked by CORS policy:   No 'Access-Control-Allow-Origin' header is present on the requested resource.  

This is via CloudFront and a bucket secured with a signed Cookie.

If we take off the security settings the video loads fine cross domain.

The Cache and Origin request policy has the headers whitelisted

The CORS policy

[      {          "AllowedHeaders": [              "*"          ],          "AllowedMethods": [              "GET",              "HEAD"          ],          "AllowedOrigins": [              "*"          ],          "ExposeHeaders": [              "Access-Control-Allow-Origin",              "Content-Length",              "Content-Encoding",              "Content-Range",              "Accept-Ranges",              "Origin",              "Access-Control-Request-Method",              "Access-Control-Request-Headers"          ]      }  ]  

https://stackoverflow.com/questions/65418158/cors-on-cloudfront-with-s3-and-signed-cookies December 23, 2020 at 10:06AM