Accessing attachments using CORS without redirects?

[Milan Kvetko]

Hi, 

I am trying to create a progressive web app for Zotero, which in principle shall provide a "reading queue" for the articles I added and tagged in my library and to make them available in the offline mode while I am commuting ... 

I would like to avoid hops over the server - so far I was able to retrieve collections, items, ... using CORS directly from the client side. The problem arises when I want to download attachment through the "enclosure" link provided for the attachment item. The browsers simply do not support CORS redirects in AJAX (see e.g. https://stackoverflow.com/questions/38834393/get-location-fragment-with-fetch-api-redirect-response), but the enclosure link (https://api.zotero.org/users/<userid>/items/<attachmentid>/file/view) redirects to Amazon S3. So far I triedy various ways (XmlHTTPRequest, fetch api, fetch with manual redirect) but still end with some form of the error message:

Redirect from 'https://api.zotero.org/users/.../file' to 'https://s3.amazonaws.com/zoterofilestorage/c73db12bf8f26915e9ad59af486435c0…' has been blocked by CORS policy: Request requires preflight, which is disallowed to follow cross-origin redirect.

Is there a way to get attachment link that does not leads to CORS redirect? It will be acceptable e.g.to retrieve temporary S3 link from direct api call so that I can then follow that link with direct CORS AJAX call to S3, the ideal will be api call that just provides the file. It seems there is possibiliy to get file from the url https://files.zotero.net/<magic number>/<filename> but this link is not available with api calls and the magic number seems to be some temporary key anyway.

Regards, Milan.