Thanks Dilyan, I appreciate the help!
This was my initial instinct too. So I’ve run ngrok so I can use https in development, and I’ve also added the force secure setting.
If I remove the service from behind the standard Cloudflare proxy (no workers), this seems to work fine.
But if I turn the proxy back on, I get a CORS failure. Do other users not put Cloudflare in front of the service? First time I’ve seen doing so cause a problem like this.