Corvid stripping cors headers?

Everything was working great for a while, but all of the sudden all of the CORS requests are failing for functions I’ve setup in http-functions.js. I have various cors headers like:

Access-Control-Allow-Origin:
https://myothersite.com
Access-Control-Allow-Methods:
“GET,POST,OPTIONS”
Access-Control-Allow-Credentials:
“true”
Access-Control-Max-Age:
“86400”

Now those headers are missing from the response. I didn’t see anything in changelog related to cors headers no longer being allowed. Updates & Releases | Velo | Wix.com

Is this an intentional change by Corvid? Is there another way to do cors headers in Corvid http functions?

I’ve tried a few things to get around this like using response instead of ok and taking out some of the CORS headers to see if some will get through. No luck. I do see that non-cors headers do get through like {‘extra-header’: ‘foo’}, but none of the ones needed for CORS are allowed and are stripped out of the response from the wix site.

Update: Wix has fixed the bug and CORS headers are allowed again! :tada::tada::tada::tada::tada: