This took me way to long to figure out.

  1. In the S3 interface, click the magnifying glass icon to the left of your bucket.
  2. Click the "Edit CORS Configuration" button. It should be right next to "Add Bucket Policy"
  3. You should already have a CORS XML file in here, if not mine looked like this :

    <?xml version="1.0" encoding="UTF-8"?>
    <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
    </CORSRule>
    </CORSConfiguration>
    

    This CORS header allows all websites to perform GET requests against this resource.

  4. To reference the file, you must use the url structure [bucket].s3.amazonaws.com/[object]
  5. If using an img tag, it must contain the attribute crossorigin="anonymous". Read more here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img#attr-crossorigin

Check out MDN for more information about CORS headers.