Maggie,
I think you have the right idea.
The basic idea at work is that any "ajax" request, which is what
d3.csv does, has to come from the same domain and port as the webpage
that showing the content. CORs is a fancy way to negotiate work
arounds, but the simple workflow goes like this:
For development, it's custom for people to use localhost:8080, or
something similar for everything, both web page and data.
In testing, or for sharing, it's customary for people to use a service
like
http://bl.ocks.org/ so that both the data and the webpage get
served from the same place. You can test it out by uploading your
test to
gist.github.com and viewing it on blocks. This is often a
great way to get help, since everyone is able to see and work on the
same problem.
In your case, it's probably just as easy to make the data available
from the same port and domain as the webpage, if not there is CORs.
In "production" this is exactly what people do, just as you suggested.
You will find that jQuery.ajax and friends all have similar
restrictions, it's a safety feature.
-bewest
P.S. In really fancy environments, you might use several webservers to
either proxy or "reverse-proxy" to the right services, or in
restrictive environments you might find something like
http://xip.io/
handy.