Host-wide opt-in

[mnot]

Leveraging CORS here makes sense from a using-tools-that-are-already-defined standpoint, but this use is a poster child for how chatty CORS is.

In many cases, the decision about whether data is allowed is going to be origin-wide; either "yes, I'm on the Internet" or "no, I'm not."

See also whatwg/fetch#210.

[annevk]

The solution here is Origin Policy I hope.

[rcombs]

This is very similar to my comment here: https://bugs.chromium.org/p/chromium/issues/detail?id=590714#c17 I think this can be addressed by either setting additional headers to indicate a host-wide opt-in, or via something under .well-known. Preflighting every single request in all cases is definitely excessive and the current CORS cacheing mechanism (keying on the full URL) is too granular to solve that problem.