This is also why I lean on a tiny JSON route with simple CORS. For anyone wiring this up, they can add

Access-Control-Allow-Origin: * (or site origin), and Cache-Control: no-store

Also, watch for mixed content (HTTPS page trying to fetch HTTP gateway), either serve the probe from the gateway or expose /time over HTTPS.