Bug: banner.js endpoint does not respond to CORS preflight requests

[theonegamer]

Bug: banner.js endpoint does not respond to CORS preflight requests

When embedding the keepandroidopen.org banner on an external site, the banner.js script endpoint fails CORS preflight checks. The server does not return an Access-Control-Allow-Origin header in response to OPTIONS preflight requests, causing browsers to block the script from loading.

Error observed:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Steps to reproduce:

1. Embed the banner script on any external site:

<script src="https://keepandroidopen.org/banner.js?hidebutton=off&size=mini" crossorigin="anonymous"></script>

2. Open browser developer tools → Network tab
3. Observe the OPTIONS preflight to keepandroidopen.org failing with a CORS error

Expected behavior:
The server should respond to OPTIONS preflight requests with appropriate CORS headers, at minimum:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET

Impact:
Sites embedding the banner with crossorigin attributes (required for Subresource Integrity checks) will have the banner silently fail to load. This also causes security scanner violations on otherwise clean sites, which is counterproductive for a project promoting security-conscious users.

Environment:
Confirmed via Cloudflare Radar URL Scanner.