Not knowing more details about your setup, it might help to look into enabling CORS on AWS. Unfortunately, I am not an expert on this and don’t know how CORS works for RDS… but maybe this will help:
As for what to allow, I allow for an open CORS policy on my AWS S3 buckets:
<?xml version="1.0" encoding="UTF-8"?>
This configuration sample allows a user to view or update objects inside of a bucket from any origin. This is bad practice / insecure but I find it convenient for when I publish notebooks to HTML for hosting elsewhere… I could probably omit the
PUT option and things would work just find, but I haven’t played around. …and, of course, if anyone wishes to suggest a better/more secure CORS policy for reading, I’d be happy to learn.
and yes, you’ve got it: you can limit operations on a bucket to only those coming from observablehq as follows:
<AllowedOrigin>*.static.observableusercontent.com</AllowedOrigin>. [note: adjusting this to avoid confusion following Mike’s correction below.]
And for more discussion on CORS, I like this resource:
Not sure if this helps or not, but hopefully it’s a step toward getting you started!