diff --git a/ckanext/s3filestore/views/resource.py b/ckanext/s3filestore/views/resource.py
index fd1dd9d..83aaa5f 100644
--- a/ckanext/s3filestore/views/resource.py
+++ b/ckanext/s3filestore/views/resource.py
@@ -74,7 +74,15 @@ def resource_download(package_type, id, resource_id, filename=None):
                         'attachment; filename=' + filename,
                 }
                 url = upload.get_signed_url_to_key(key_path, params)
-            return redirect(url)
+
+            redir = redirect(url)
+            # remove Authorization header from redirect
+            # so that it doesn't get passed to S3
+            # (which doesn't like it)
+            redir.headers.pop('Authorization', None)
+            # remove Origin header because it causes problems with CORS on S3
+            redir.headers.pop('Origin', None)
+            return redir
 
         except ClientError as ex:
             if ex.response['Error']['Code'] in ['NoSuchKey', '404']: