I have a managed package and inside it a VisualForce page that is meant to be included as a side panel of the case layout in a console app.

This VF page calls an action function on a controller and this function works on some orgs but doesn't on some other orgs with seemingly no difference in behavior of the requests.

The exact error I get is:

XMLHttpRequest cannot load https://c.na30.visual.force.com/apex/PanelForCasesCustom?isdtp=vw. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://na30.salesforce.com' is therefore not allowed access.

At first I thought it was a problem with a custom domain or a specific salesforce pod that was behaving differently than others, but recently I've had it happen on `na30` pod where in one org it worked and in another one it didn't.

Just to be clear, in both cases, the VF page is being served in an iframe because it is setup on the side of the case layout. In both cases the iframe src is the same. The request in the network tab of the chrome developer tools are both the same and come from the same origin. I tried to compare all the settings in the security section of the org setup and everything that seems to make sense is the same.

(Just to be safe I have included both those domains in the cors settings, and also in the whitelisted domains of both the app and the org itself).

I am asking here as a last resort before opening a case with salesforce.