Chrome saying "No 'Access-Control-Allow-Origin' header is present on the requested resource." even though it is present

Chrome is throwing an error

Access to XMLHttpRequest at 'https://codingcollections.com/system/latin-sindhi/addDownload.php' from origin 'https://fahadmaqsood.github.io' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

While on the Edge, It says:

HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfil it. (XHR)OPTIONS - https://codingcollections.com/system/latin-sindhi/addDownload.php

I browsed questions similar to this, on this website. I found out that adding "header("access-control-allow-origin: *");" in PHP would solve the issue. But in my case, it hasn't.

When I open that URL on the browser, I can see this: [Screenshot] access-control-allow-origin header is present

But through XMLHttpRequest, it isn't working (Header is not present). You can see the error on my website here: https://fahadmaqsood.github.io/latin-sindhi/download/windows.html or you can look at this screenshot: [Screenshot] access-control-allow-origin header is not present

Code on the server:

<?php

header("access-control-allow-origin: *");

$path = $_SERVER['DOCUMENT_ROOT'] . '/system/latin-sindhi/downloads.txt';

$content = file_get_contents($path);
$downloads = ((int) $content) + 1;

$file = fopen($path,'w');
fwrite($file, $downloads);
fclose($file);

echo '{
    downloads: '.$downloads.'
}';

code on the client:

var request = new XMLHttpRequest()

// Open a new connection, using the GET request on the URL endpoint
request.open('GET', '//codingcollections.com/system/latin-sindhi/addDownload.php', true);

request.onload = function() {

    // Begin accessing JSON data here
    var data = JSON.parse(this.response)

    if (request.status >= 200 && request.status < 400) {
        console.log(data);
    } else {
        console.log('error')
    }
}

// Send request
request.setRequestHeader("access-control-allow-origin", "*");
request.send()

I have tried all this before:

header('content-type: application/json; charset=utf-8');
header("access-control-allow-origin: *");
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header("Access-Control-Expose-Headers: Content-Length, X-JSON");

// Access-Control headers are received during OPTIONS requests
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
  header("Access-Control-Allow-Headers: *");
}