CORS should be mentioned in the document.
Max has pointed out that if CORS is not mentioned in the spec then we may end up with security loopholes.
Max has pointed out that if CORS is not mentioned in the spec then we may end up with security loopholes.