halindrome
commented
7 years ago I agree with this, but note that the CORS stuff is ONLY required when there is an origin issue. So for a private annotation client accessing a private annotation server...
On the other hand, since the whole point of this protocol is that any client can access any server, I think it is reasonable to require that servers expose the required headers. And that requires the correct CORS header settings.
While all three MUST be supported, the header and body requirements aren't as clear as they could be in the following text (Protocol section 4.1).
For example, OPTIONS doesn't need to have Content related headers, but HEAD and GET do, and all of them need the CORS headers.
Thanks (again) to @mattmcgrattan!