AFAIK you can bypass it with curl because there's an explicit whitelist for it, no need for a headful browser.