rate_limit response does not include access-control-allow-origin header?

Requests to the rate_limit endpoint do not seem to include the “access-control-allow-origin” header any more, meaning requests are failing.