Since A-Frame fetches assets using XHRs, browser security requires the browser to serve assets with cross-origin resource sharing (CORS) headers if the asset is on a different domain. Otherwise, we'd have to host assets on the same origin as the scene.
For some options, GitHub Pages serves everything with CORS headers. We recommend GitHub Pages as a simple deployment platform. Or you could also upload assets using the A-Frame + Uploadcare Uploader, a service that serves files with CORS headers set.
Given that CORS headers are set,
<a-assets> will automatically set
crossorigin attributes on media elements (e.g.,
<video>) if it detects the resource is on a different domain.