Thanks Paul
maybe i've misunderstood, i thought adding CORS (Cross-origin resource sharing) would allow cross domain requests with response headers such as Access-Control-Allow-Origin: *
the issue seen, is when requests that generate an error response (400) this header (Access-Control-Allow-Origin: *) is not sent in the response
see the example below, where i've purposely supplied an incorrect api_key
Remote Address:172.30.40.11:8080
Request URL:http://developer.echonest.com/api/v4/artist/profile?api_key=demo&name=weezer
Request Method:GET
Status Code:400 Bad Request
HTTP/1.1 400 Bad Request
Via: 1.1 ID-0000627501223746 uproxy-3, 1.1 UK-AFF-WSISA01
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 92
Date: Wed, 03 Sep 2014 07:41:32 GMT
Content-Type: application/json; charset=utf-8
Server: TornadoServer/3.1
X-Request-Id: LHxeYkr/RIKX3aQvNJciIw
X-Api-Key: Unknown