Ah that could explain the difference. Is there any guideline what the header should be?
Discussion
plain ol' `Access-Control-Allow-Origin: *`
IIUC the fact that I redirect to (my own) nostr:npub155m2k8ml8sqn8w4dhh689vdv0t2twa8dgvkpnzfggxf4wfughjsq2cdcvg should mean that setting CORS headers is it's responsibility. So maybe this is a bug on their end? 