Quick answer: Construct 3 AJAX request to your own API blocked by CORS in published web build? Server must send Access-Control-Allow-Origin matching the game's origin - configure or use a proxy.
Game on itch.io fetches scores from your API. Browser blocks with CORS error.
Configure CORS server-side
Access-Control-Allow-Origin: https://*.itch.zone
Access-Control-Allow-Methods: GET, POSTAllow the game's origin. Wildcard subdomain handles itch's serving model.
Or use a CORS proxy
For quick prototypes, a public CORS proxy works. Don't ship; the proxy is a dependency and a security risk.
Test on the deploy target
Local file:// origin doesn't trigger CORS. The bug surfaces only when deployed; test on the actual deploy URL early.
“CORS is the browser's rule. Servers comply or fail.”
Document your API's allowed origins. Adding a new platform means adding a new origin; the list grows with deployment targets.