diff --git a/src/components/TopicView.jsx b/src/components/TopicView.jsx
index 5228a6c..95fb262 100644
--- a/src/components/TopicView.jsx
+++ b/src/components/TopicView.jsx
@@ -7,11 +7,15 @@ import { LEGACY_BASE_URL, REST_BASE_URL } from '../data/topics'
 const ADMIN_SECRET = 'nearle-admin-secret'
 
 function toProxyPath(fullUrl) {
-  // REST: always strip to a relative /live/... path so the request goes through
-  // the local server proxy (Vite dev/preview, or nginx in production).
-  // This avoids CORS entirely — the browser never talks to jupiter.nearle.app directly.
+  // REST: jupiter.nearle.app lacks CORS headers, so we MUST proxy it.
   if (fullUrl.startsWith(REST_BASE_URL)) {
-    return fullUrl.slice(REST_BASE_URL.length)
+    // Locally, Vite intercepts /live/... and proxies it perfectly.
+    if (window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') {
+      return fullUrl.slice(REST_BASE_URL.length)
+    }
+    // In production, since we cannot configure the host server (like Nginx),
+    // we use a public CORS proxy to bridge the request directly from the browser!
+    return 'https://corsproxy.io/?url=' + encodeURIComponent(fullUrl)
   }
   // Legacy (api.workolik.com): CORS is open, admin secret injected in headers.
   return fullUrl