[cyphar]

Why do you need to run that on the client? And even if you do need to run it on the client for some reason, GitHub has APIs that you could use which have an allow-all CORS policy (as all APIs do).

CORS is defending against a particular class of attack, which is indistinguishable from the scenario you outlined: evilexample.com wants to get access to your private repos on GitHub (which can be reached purely through GET requests).

[jeswin]

The post I was replying to seemed to be saying that invoking multiple services from the client is "a sign of how ludicrous front end development has gotten."

> Why do you need to run that on the client?

Because it's a good idea (less wasteful) to do that on the client. Rather than wasting bandwidth rerouting it via my own server.