Hi Fred, apologies for the late reply. Been a busy period for me.
I checked the patch instruction on github, but the change was already in the token.php file (addition of header(...) line). Hopefully there isn't anything else I missed.
It still gave me the following error/result in the test CORS.html file
I guess that only leaves the SSL side to check. Did you see the HTTPS URL to which you say it's not a moodle site? However, I know Joomla is linked to moodle with Joomdle plugin, if that's perhaps what you saw?