fix(cdn): preserve upstream headers alongside CORS and cache overrides

The response was built with `{ "Cache-Control": ..., "Access-Control-
Allow-Origin": ..., ...response.headers }`. Spreading a Headers
instance into a plain object does not expand into own properties, so
upstream headers (including Content-Type) were dropped on the floor.

Build a Headers copy of the upstream response and .set() the overrides
on it, so Content-Type and friends survive alongside the locked-down
CORS origin and long cache policy.

0 files changed, 0 insertions, 0 deletions