Google Sign-In via OpenID Connect

For a web app I use Google Sign-In via OpenID Connect. It worked well for users all over Europe without any problems.

Since July login from Spanish IPs is no longer possible because it ends with a CORS error.

The reason for the CORS problem is that after a request with "Origin" in the request header, the response header did not contain the 'access-control-allow-origin'.

The problem request is against the jwks-uri ("https://www.googleapis.com/oauth2/v3/certs") from the Google Discovery Document.

The missing 'access-control-allow-origin' in response header occurs only from requests from Spanish IPs. Europe-wide the response header contains the 'access-control-allow-origin'* .

The missing 'Access-Control-Allow-Origin' in the Response Header can be viewed with curl:

curl -v -H "Origin: https://bla.appspot.com" https://www.googleapis.com/oauth2/v3/certs

Correct response outside Spain:

...
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< access-control-allow-origin: https://bla.appspot.com
< access-control-expose-headers: date,content-encoding,server,content-length
< alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"
< accept-ranges: none
...

Incorrect response from Spanish IPs:

...
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< cache-control: public, max-age=24874, must-revalidate, no-transform
< age: 9060
< alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"
< accept-ranges: none
...

Why does this only happen with Spanish IPs and how do I get a required "access-control-allow-origin" in a response header?