Static And Dynamic Caching On Incapsula Can Cause CORS errors

We’re loading an SVG sprite via AJAX from our CDN because SVG is XML and that’s not allowed to be loaded cross-domain. That all worked fine across all our environments, but it broke on production:

1
2
3
Access to XMLHttpRequest at 'https://cdn.foo.bar/images/svg/sprite.svg' from origin 
'https://www.foo.bar' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present on the requested resource.

That was strange because for the “cdn.foo.bar” app service was already configured to allow all origins: “ALLOWED ORIGINS = *”.

It turned out the Incapsula WAF caching was configured to Static + Dynamic. After disabling caching in Incapsula the CORS error was gone.