This could be a security feature introduced for the public REST API with edoras one 2.0. If you used the unofficial public REST API addon with version 1.6, CORS (https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) was enabled by default and configured to allow all origins by default.
As this is quite a security issue this has been changed since 2.0. CORS is now deactivated with version 2.0 and does not allow access from servers others than the origin server.
You can reenable CORS and set the allowed origins (you should not use *) by using edoras one configuration properties. If you use YAML files as a configuration option you can use the following settings:
# Boolean property to enable or disable CORS for the rest api used by the UI.
# A path into the application that should handle CORS requests. Exact path mapping URIs (such as "/admin") are supported as well as Ant-stype path patterns (such as /admin/**).
# Comma-separated list of HTTP methods to allow, e.g. "GET, POST". The special value "*" allows all method.
# Comma-separated list of headers that a pre-flight request can list as allowed for use during an actual request. The special value of "*" allows actual requests to send any header.
# Comma-separated list of origins to allow, e.g. "http://domain1.com, http://domain2.com". The special value "*" allows all domains.
# Whether user credentials are supported.
# Comma-separated list of response headers other than simple headers (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma) that an actual response might have and can be exposed.
# How long, in seconds, the response from a pre-flight request can be cached by clients.