CORS checks prevent an inlay working if added to Civi's domain
If an inlay is used on the same site as Civi, then the browser will not send CORS headers with requests, since they don't need to be CORS requests as they are not cross site.
However the checks in corsChecks() did not treat a missing Origin header as OK, it treated it as a client error.