Why do I get a CORS error when I've set Access-Control-Allow-Origin?

I was requesting

http://mpappname.herokuapp.com/api/v1/products

instead of

http://mpappname.herokuapp.com/api/v1/products/

Maybe obvious to some but I needed to read this blog post explicitly to understand this:

https://airbrake.io/blog/http-errors/308-permanent-redirect

The appearance of a 308 Permanent Redirect is usually not something that requires much user intervention. All modern browsers will automatically detect the 308 Permanent Redirect response code and process the redirection action to the new URI automatically. The server sending a 308 code will also include a special Location header as part of the response it sends to the client. This Location header indicates the new URI where the requested resource can be found. For example, if an HTTP POST method request is sent by the client as an attempt to login at the https://airbrake.io URL, the web server may be configured to redirect this POST request to a different URI, such as https://airbrake.io/login. In this scenario, the server may respond with a 308 Permanent Redirect code and include the Location: https://airbrake.io/login header in the response. This informs the user agent (browser) that the POST request data (login info) was received by the server, but the resource has been permanently moved to the Location header URI of https://airbrake.io/login.