Thanks Bill.
Yes, the CORS stuff makes sense. I’m generating the CSVs through my own applications on my websites which fortunately can be “secured”, but these don’t work either e.g.
https://codap.concord.org/app/?url=https://statistics-is-awesome.org/CAS2015_edited.csv
I have no issue using the CSVs in other online tools where a link to CSV can be provided in the URL, so I’m not sure it would be my server settings that are blocking access to CODAP. But I’ll investigate some more!