If you replace rather than add to the headers returned by supplementalHeaders,
that header will be gone.
That said, I don't see how the X-Frame-Options header, which is meant to control
whether a browser can embed your site inside another site via frame, is affecting
your CORS request. It shouldn't be, from what I can tell.
What leads you to conclude it's the X-Frame-Options header that's breaking things?
Thanks,
Antonio