Currently, the CORS policy for the 4chan API (a.4cdn.org) only allows requests from boards.4chan.org and boards.4channel.org (at least according to the docs).
This policy can be bypassed anyway by using a CORS proxy or by manually setting the Origin header in a request.
The exception is that requests from a browser environment will be blocked because browsers disallow setting the Origin header for security reasons.
Unless I am misunderstanding something, I see no security risk in allowing all origins, because this API is explicitly read-only.
Currently, the CORS policy for the 4chan API (a.4cdn.org) only allows requests from boards.4chan.org and boards.4channel.org (at least according to the docs).
This policy can be bypassed anyway by using a CORS proxy or by manually setting the Origin header in a request.
The exception is that requests from a browser environment will be blocked because browsers disallow setting the Origin header for security reasons.
Unless I am misunderstanding something, I see no security risk in allowing all origins, because this API is explicitly read-only.
Is there any reason to still have this policy?