You can circumvent this by renaming that file to not contain the word chat — but this doesn’t mean that it’s OK to host chat scripts here.
As why your CORS headers settings don’t take effect, I don’t know exactly. What I know is that our 403 don’t allowed to be requested from another source, and apparently you cannot set security headers on our pages.