A developer is using Amazon S3 to host a static website. The website uses JavaScript to fetch data from an API Gateway endpoint. Users report that the website loads but API calls fail with HTTP 403 errors. The developer checks the S3 bucket policy and finds it allows public read access. What is the most likely cause?
CORS is required for browser-based cross-origin requests.
Why this answer
S3 static website hosting does not support CORS by default. Option C is correct. Option A is incorrect because S3 bucket policy allows read.
Option B is incorrect if bucket policy is correct. Option D is incorrect because authentication is not required for public content.