Can't send Access-Control-Allow-Origin header along with 302 redirect, breaking browser CORS

We have a problem with our site, where we are using lots of 302 redirects.

Let’s for a moment assume I have the following two files:

# _headers
  Access-Control-Allow-Origin: *
# _redirects
/content/lorem /content/ipsum 302

Then, when requesting /content/lorem, I would expect to get back a 302 response together with the Access-Control-Allow-Origin header. However, that is not the case.
This is actually breaking our site in a way: When doing a CORS request from a different origin to /content/lorem, the Access-Control-Allow-Origin header missing leads to the following error:

Access to fetch at '[...]/content/lorem' from origin '[...]' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

See also this blog post to describe that behaviour.

I have seen your response in Netlify does not send custom headers in a redirect file (using https in the "to") - #19 by hrishikesh already, saying that headers are not meant to be served with redirects. However, since in this case this behaviour is breaking browser CORS rules, I would argue that at least the Access-Control-Allow-Origin should be served in this case.

Thank you,

Sorry to say, but that is an incorrect assertion and this won’t be supported (probably ever). You asked Netlify to redirect, so it did. What happens after the redirect is not something Netlify can control (or should be controlling for that matter). The header should come from the destination server.

Since you’re trying to bypass CORS, why not use Netlify Rewrites instead?