I've done the same when I look at a hidden field via the Network tab. It stops anyone not technical enough to look in the right place. Developers can use the information needed for their purposes.

Headers get dropped in scripts due to CORS security and policy. The action is designed to protect both users and web applications.

Headers that are not explicitly allowed by the server (via Access-Control-Allow-Headers) cannot be accessed in JavaScript, even if they are visible in the network tab.

So even though you can copy and paste authorization tokens you see with your own eye, CORS ensures that malicious scripts cannot programmatically access sensitive data without explicit permission. It slows down the process.

Without CORS, JavaScript could make requests and retrieve sensitive information without the user's consent.