Looks like the Access-Control-Allow-Origin header is added now, but maybe only contains https://www.wanikani.com/ ?
wkstats.com stopped being able to load the radical SVGs.
Since the radical images/SVGs are part of the API, would it be okay to set Access-Control-Allow-Origin: * so any site or app can use them?