CORS headers missing from 429 response

When the ratelimit is reached, the 429 response is sent without the access-control-allow-origin header, thus preventing a browser application from reading the response and its status code.

Specifically, on the GET /company/{companyNumber} endpoint.

Is the team aware of this? Can I get a response please to indicate the status of this issue?