I wasn’t getting a green lock on meta - turned out to be that I visited a topic with mixed content, but I see that this is happening on meta:
Image from origin ‘https://cdn-enterprise.discourse.org/meta’ has been blocked from loading by Cross-Origin Resource Sharing policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://meta.discourse.org’ is therefore not allowed access.
Figured I’d let someone know.
Yeah this often happen with oneboxed content or linked images. There’s not much we can do here.
Wouldn’t that header be present on the Fastly content @sam?
The mentioned warning (in Chrome console) shows up on the main page, so I don’t think it has anything to do with oneboxed content or linked images.
Agreed Regis… it was foreign content in a topic that got my attention.
not really, we have to enable cors to get headers, not sure why this is happening but I also dislike the errors in chrome.
This is happening when “Show new / updated topic count on browser icon” is enabled in the user preferences. The missing Access-Control-Allow-Origin header on S3 prevents the topic count to show up in the favicon.
Since the topic about Favicon notification was closed as “complete” I’d like to point out, that there’s still an issue with CORS that can prevent it from working properly.
I guess this should be mentioned in some documentation about S3 and it would be great if this header could be enabled here on meta. 
Maybe do a howto on it?
I’m not a S3 user. Maybe we should move this out of Lounge in order to find someone willing to document this?
Anyway, the solution posted on stackoverflow looks promising…
Fixed everywhere (including for S3 setups per: https://meta.discourse.org/t/whatever-happened-to-favicon-notifications/32351/8?u=sam)
Yay 