does an iframe that displays a pdf use an http header and more specifically a cors header
if the pdf asset is served by backblaze private repository and that a cloudfare worker is used to supply the key to obtain the asset, will consideration need to b e made towards cors header
all modern browsers implement the same-origin policy which is a default to deny cross-origin access
(i dont actually know how the browser knows something is cross origin if it is served from the server of the site it is accessing but anyhow…)
cross-origin-resource-sharing (CORS) is layered on top.
so what can change between device and browser ?
CORS enforcement rules, when preflight happens, what headers are required stay the same.
however mobile vs desktop may send slightly differnt headers, cookies and authentication state can differ, older browsers can have bugs