The origin IP address is identical in both cases.
Insomnia reports the following response headers for the request that can’t be handled by browsers:
< HTTP/2 200
< date: Mon, 29 May 2023 08:55:54 GMT
< content-type: application/json
< access-control-allow-credentials: true
< access-control-allow-headers: X-RateLimit-Query, origin, content-type, content-length, user-agent, host, accept, authorization
< access-control-expose-headers: X-RateLimit-Window, X-RateLimit-Limit, X-RateLimit-Remain, X-RateLimit-Reset, Location, www-authenticate, cache-control, pragma, content-type, expires, last-modified
< access-control-max-age: 3600
< x-ratelimit-limit: 600
< x-ratelimit-remain: 598
< x-ratelimit-reset: 1685350720
< x-ratelimit-window: 5m
< server: CompaniesHouse
I note that access-control-allow-origin is missing, but then again, it’s also missing in Insomnia for other queries that work in a browser - so I don’t think we can read too much into that
But for those (working) queries, I can see access-control-allow-origin in the browser response headers, and it is set to my origin domain (because I have enabled that origin in my API definition registered against my application).
Anyway … I have to knock it on the head for today; hopefully someone at the CH team will see this and respond soon