The CORS thing is a big deal. Basically it means your JS error reporting is useless (window.onerror won't report any details) if your JavaScript is loaded from a CDN, unless your CDN has CORS enabled.
If you're using AWS for your CDN, you may be in trouble currently.
There's a combination of issues between CloudFront and S3 where this actually becomes a big deal.
While S3 does support CORS, it will only return the "Access-Control-Allow-Origin" header when the Origin header is passed (which only happens on CORS requests themselves). And even if you set an S3 CORS policy of "Access-Control-Allow-Origin: * " it will return a more specific header like "Access-Control-Allow-Origin: example.com", based on the request's "Origin" header. (Because of this behavior, S3 does correctly send a "Vary: Origin" header).
Now, CloudFront will cache the "Access-Control-Allow-Origin" response header, but it does so incorrectly because it doesn't respect the "Vary: Origin" header from S3.
So, that means that even if you think CloudFront is returning the right "Access-Control-Allow-Origin" header, it's only doing so from some geographic locations and its based on some randomness of whether or not the 1st cache hit per node happened to have the desired "Origin" header.
I filed a ticket with AWS a few months ago about CloudFront supporting "Vary: Origin", but they haven't, yet.
Therefore, to my knowledge, it's impossible today to get decent js error reporting if your JavaScript is served from CloudFront with an S3 origin.
So somehow I've never noticed this as a problem. We get full stack traces for everything. On the other hand we use the hosted version of Sentry (https://getsentry.com), but since everything is open source, we bundle their raven library (https://github.com/getsentry/raven-js) into our CDN served package. So window.onerror is set from the same JS as the rest of the app. I'm guessing that avoids the cross-domain issue?
My understanding is that if your website and error-producing-JS file are different domains then you'll have an issue still. I think raven-js does some other stuff regarding letting you rethrow Exceptions, which would still work, but window.onerror is probably not reporting much in most browsers. Could that be the case?
If you're using AWS for your CDN, you may be in trouble currently. There's a combination of issues between CloudFront and S3 where this actually becomes a big deal.
While S3 does support CORS, it will only return the "Access-Control-Allow-Origin" header when the Origin header is passed (which only happens on CORS requests themselves). And even if you set an S3 CORS policy of "Access-Control-Allow-Origin: * " it will return a more specific header like "Access-Control-Allow-Origin: example.com", based on the request's "Origin" header. (Because of this behavior, S3 does correctly send a "Vary: Origin" header).
Now, CloudFront will cache the "Access-Control-Allow-Origin" response header, but it does so incorrectly because it doesn't respect the "Vary: Origin" header from S3.
So, that means that even if you think CloudFront is returning the right "Access-Control-Allow-Origin" header, it's only doing so from some geographic locations and its based on some randomness of whether or not the 1st cache hit per node happened to have the desired "Origin" header.
I filed a ticket with AWS a few months ago about CloudFront supporting "Vary: Origin", but they haven't, yet.
Therefore, to my knowledge, it's impossible today to get decent js error reporting if your JavaScript is served from CloudFront with an S3 origin.