CORS access-control-allow-origin not registering correctly

Before asking, did you search first? Press :mag: at the upper right to search. Yes.

I have setup security headers in Cloudflare Transform Rules Modify Header Response.
However, when I am running the facebook chat code, it blocks the facebook code and says Blocked MIssing Header Access-Control-Allow-Origin.

This is even though all security headers are setup the same and everything else appears to be functioning.

At present I have Access-Control-Allow-Origin set to *. I have tried other settings as well. It does not seem to be registering.

Site is www.sydney-tours.com.au

These are the headers I have setup.