Dropping the DFO widget into a Next.js App Router page triggers a CORS error on the initial handshake. The preflight hits our custom DFO endpoint but fails because Next.js doesn’t include the Access-Control-Allow-Origin header. Adding headers in middleware doesn’t seem to catch the OPTIONS request for the widget script. Anyone got this working with SSR?