Corsica 2.0 - CORS Header Access-Control-Allow-Origin Missing through to

I’m testing my video player with a live .m3u8 endpoint that I obtained via youtube-dl it looks like this(truncated): ... SycMQ7_2q/playlist/index.m3u8

so when I hard-code it for my Vidstack player/liveview hook to play it, I get this error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

I added Corsica as a plug in endpoint.ex like this(before plug Plug.Static):

    max_age: 3600,
    allow_headers: :all,
    origins: "*"
GET /api/manifest/hls_pla...2q/playlist/index.m3u8 HTTP/2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: */*
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Origin: http://localhost:4000
Connection: keep-alive
Referer: http://localhost:4000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
DNT: 1
Sec-GPC: 1

Note the missing Access-Control-Allow-Origin

Am I using this right?