Served by the widget-e2e container with a real
origin so the backend's widget-session Origin allow-list check
passes. The API key is read from the ?key= query
parameter — Playwright's global setup mints it and the widget
specs append it to the URL.