CORS headers missing from 429 response

When the ratelimit is reached, the 429 response is sent without the access-control-allow-origin header, thus preventing a browser application from reading the response and its status code.

Specifically, on the GET /company/{companyNumber} endpoint.

Is the team aware of this? Can I get a response please to indicate the status of this issue?

Bump. Is there a better way of getting a response from the devs on this one? I’ve confirmed this issue is still in production.

So sorry for the delay in updating you all.
Yes, we can now confirm there is an issue with the CORS headers not being included when a 429 response is returned.
Allocation of this work is currently being looked at.