[al2o3cr]

> For those you don't need CORS anyway

CORS is needed for GET if the request needs to send headers like `Authorization`, AFAIK

[lostcolony]

Yes. There are a few safelisted headers (and relatedly, content-types) that do not trigger a pre-flight; any GET that uses something outside of them (such as 'authorization") gets preflighted.

[mr_toad]

Yes, here’s a full list

https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_...