Dbconnections/change_password endpoint ignores "Allowed Origins (CORS)" configuration


I am using the /dbconnections/change_password endpoint and I can see that the POST request is returned with Access-Control-Allow-Origin: * header (OPTIONS request have same behavior)

Is there a way to configure Access-Control-Allow-Origin to predefined origins?

It seems, configuration in Applications - Settings - Allowed Origins (CORS) does not effect dbconnections/change_password endpoint, the response is still returned with Access-Control-Allow-Origin: * header.

In addition to this:
OPTIONS /oauth/token = Access-Control-Allow-Origin: *
POST /oauth/token = Works as intended, the relevant entry is returned in the header.