100%, this is one of the reasons that I want promote `Access-Control-Allow-Origin: *`. It allows client site RSS and link previews without needing a useless (and potentially privacy-harming) CORS proxy.

You cannot use `Access-Control-Allow-Origin: *` indiscriminately, though. In some cases, it can be dangerous: https://security.stackexchange.com/questions/227779/concrete...

I agree with those points but I don't think they mean that we shouldn't be promoting that header as a common solution.

> Server bound to an inaccessible network interface

This is a niche use case. Most sites don't have this problem.

> Distributed client-side brute-force attack against login

This is pretty easy to solve by adding checks on your login endpoint. But really you should have more robust solutions against login rate limit whether or not they can be triggered by clients on different sites.