CORS header 'Access-Control-Allow-Origin' missing

It seems Tor Browser sometimes strips the Access-Control-Allow-Origin header. I ran into the issue when using Globe. When the header is stripped the browser console contains the warning

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://onionoo.torproject.org/details?lookup=299F0933E93B6571ED1CB3D52090E6E13D62427C. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

The reasons why i believe Tor Browser is the cause are

  1. Onionoo explicitly sets the header.
  2. Responses from direct requests to an Onionoo resource using Tor Browser sometimes do not show the header in the Network Monitor.
  3. Responses from direct requests to the same Onionoo resource using curl consistently contain the header.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information