<p></p>
<p>Thanks for the reply Tom. Some additional thoughts:</p>
<ul>
<li>Is "somebody using loading a http resource" considered a risk? My understanding is that this is something that should be avoided, specially when allowing user-generated-content.</li>
<li>Is the API loading from the base domain or using a different one? (where I assume external queries are desired)</li>
</ul>
<p><a href="https://infosec.mozilla.org/guidelines/web_security#cross-origin-resource-sharing" rel="nofollow">Mozilla InfoSec</a></p>
<blockquote>
<p>For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, only the API resources should return the Access-Control-Allow-Origin header. Failure to do so will allow foreign origins to read the contents of any page on your origin.</p>
</blockquote>
<p>Thanks for your time.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/3108#issuecomment-782070715">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLPF2S4B3U4IXF6RGHDS7ZQZ3ANCNFSM4X4G7YUQ">unsubscribe</a>.<img src="https://github.com/notifications/beacon/AAK2OLKFTH3U5QHC4G4RDJLS7ZQZ3A5CNFSM4X4G7YU2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOF2OXHOY.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/issues/3108#issuecomment-782070715",
"url": "https://github.com/openstreetmap/openstreetmap-website/issues/3108#issuecomment-782070715",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>