Maybe clients should give an error on this if people put in a NIP-05 address with incorrectly configured CORS, even if the client doesn't need the CORS header themselves.
Discussion
Or web clients shouldn't be calling out to those URLs, but leave it to a back-end.