sooo we're denying CORS on API subdomain?