alt Hacker NewsIssue is that for most projects CORS is set and forget. You don’t run into it once a month or even once a year - you run into it when setting up new project from scratch.
Many or most developers work on existing projects that have all kinds of security defaults set somewhere in the past and no one bothers reviewing those.
Nah the clowns at standard board just decide to fuck shit up every few years and add some new mess to CORS that breaks in some subtle edge case on existing setup