@b0rk the mental modal is tricky to me and feels backwards. Usually a good mental model is that backend does enforcement, but CORS is the backend helping the browser do enforcement. Another tricky thing is that newer things like WebSockets don’t have the same legacy to deal with and so there enforcement is on the server side.