It looks like the bd-api-dev fence application might not be handling CORS properly. I will detail the list of symptoms which I am seeing that points to the possible issue. This is for the manual extractor endpoint: https://bd-api-dev.ncsa.illinois.edu/extractors?file_type=image%2Fjpeg

Here is a list of symptoms:

1) curl -H "Origin: http://localhost/bdfiddle" -H "Authorization: 4bc165a0-dc08-4008-b51a-b8cdbe37f603" -H "Access-Control-Request-Method: GET" -X OPTIONS --verbose https://bd-api-dev.ncsa.illinois.edu/extractors?file_type=image%2Fjpeg
This statement abover (1) does NOT work and shows the same error that I receive via bdfiddle

2) curl -H "Origin: http://localhost/bdfiddle" -H "Authorization: 4bc165a0-dc08-4008-b51a-b8cdbe37f603" -H "Access-Control-Request-Method: GET" -X OPTIONS --verbose https://bd-api-dev.ncsa.illinois.edu/dap/software
This statement going to dap/software DOES work and is using the same cURL parameters as solution 1.

3) When I run bdfiddle and the cURL command against http://bd-clowder-dev.ncsa.illinois.edu:5000/get-extractors-info?file_type=image%2Fjpeg
This works also for both bdfiddle and cURL

There looks to be some kind of restriction that bd-api is placing on this particular end point but I need help trying to diagnose or recommend a fix for it.