I’m getting the same error when developing locally and when deploying to a front end that requires some images from Ghost. I’m running Ghost at content.example.com and have the front end deployed on example.com.
I tried the curl command you shared with my Ghost URL and API key. I got the same result:
access-control-allow-origin: *
The error on Chrome reads:
Access to fetch at 'https://content.example.com/content/images/2019/10/example.jpeg' from origin 'https://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
and on Safari:
Cannot load image https://content.example.com/content/images/2019/10/example.jpg due to access control checks.
Failed to load resource: Response served by service worker is opaque.
Would the best solution be to properly configure access-control-allow-origin?
How do you configure access-control-allow-origin?
I couldn’t find much on trusted domains in the Ghost docs, but some forum mentions here and here seem to suggest that is the solution. The accepted answer points to the API docs but I couldn’t find anything about CORS or trusted domains when searching there.
Thanks!