The internet is full of questions about CORS, and this is definitely another one of them. Here's (what I think is fairly standard) situation, and the problem I'm facing.
CORS is set up and working properly in my web application, and on the external ArcGIS servers which provide the basemaps and data it uses. However, there's an issue which plagues developers and testers:
If I'm developing/testing on devserver.com and my browser makes a CORS request out to basemaps.com, everything works fine. If I then go to prodserver.com in another browser tab and bring up the application, a CORS request is sent out and denied with the "Access to XMLHttpRequest at 'basemaps.com/arcgis...' from origin 'https://devserver.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://prodserver.com' that is not equal to the supplied origin.
If anyone has any insight into a possible solution for this problem, it would be greatly appreciated! This is my white whale.