[dorgo]

> The parent site wouldn't be able to manipulate any of the content/ads/paywalls/functionality

What? What do we disable CORS for if not to allow Javascript from one domain manipulate content in an iframe of an other domain? Am I missing something?

[thinkloop]

Disabling CORS would allow you to make straight requests to foreign content from your site and manipulate the responses exactly as though they came from your own servers - no iframe needed. CORS does not disable iframe sandboxing.