Thanks @gdpelican, I’m reading more on CORS now. Just to be sure I’m following you correctly - I need to modify staffdev (WordPress) to allow requests from staffforum-dev (Discourse)? Not the other way around?
Edit: Also, I’m having a hard time understanding why this worked previously (with the copied in route and controller) and doesn’t now if my plugin does in-fact replicate the old setup.