Preface: This is a rant, I am highly aware why these security technologies are needed but man is it cumbersome sometimes.
Skipable-Rant:So, While I am very much aware of why something like SOP/C-CORS is a relevant technology as in it works wonders protecting the user from malicious sites, poorly coded sites, and unwanted javascript injection. It’s made my whole “everything must be tiddlywiki in some way” spree a bit cumbersome, a great example of this, RSS feed in tiddlywiki, boy would it be wonderful for be to have a wiki that tracks my favorite videos and I could even fork ones I like and make notes or embed them. To make it even better RSS is a simple xml file! All i have to do is set a _canonical_uri and bam!.. Firefox cannot display this content… “okay” i think, certainly there’s a reason to block viewing files what if I just try to http-get from tiddlywi…[Error Code 0]… cool so thanks to same origin i can’t read a feed that is essentially meant to be read externally, it’s the entire point of the framework/format… alright we’ll let’s see if we can use it with some AI tools, certainly having quick tiddler references to prompt AI, and the ability to “drag and drop” save would be helpful, let’s just embed as an iframe and… x-frames are blocked… cool…
Why we need it: okay so the delima is, tiddlywiki wiki isn’t the only thing on the internet. I highly doubt Google wants to stop me from generating a rss feed in tiddlywiki, or that a website doesn’t want me to view them in a custom page/iframe this issue isn’t that SOP/X-CORS exists to spite me, rather the opposite. Having mechanics simple enough that a single html page can bypass would be bad for the internet as a whole. What we can do in tiddlywiki hackers can do too, and if I can render a website, potentially inject malware or ad blockers I could make a website that suffocates creative free projects ruining it for everyone or even distribute malware or hijack login details. It’s a necessary evil.
Why I’m Ranting: While i understand WHY we need cors, I don’t understand why there aren’t browser options to disable it on a user/user basis on things like android. I also don’t know why things like YouTube block get requests for what is clearly meant as an external reference for thier content, poorly configured SOP’s and X-CORS are infuriating and venting here is cheaper than therapy plus I figured it could sort of explain why someone wouldn’t just disable these features all together, while many work arounds exist, they are far more complicated then any tiddlywiki plugin can accomplish realistically. Remember that SOP/X-CORS is a good thing, but with great power comes great configuration requirements. Things like RSS, robot.txt and any other “public resource” like pages meant for embedding and externally usable javascript should probably be ignores by these systems? For the sake of Sanity? Maybe? But it’s just a rant. I’m not a security consultant.
TL;DR: YouTube Blocks is rss xml’s behind Same Origin Policy so guy with no free time can’t make tiddlywiki into a usable RSS reader (because those don’t exist absolutely everywhere right?) And rants about how a critical peice of security infrastructure is inconvenient to him rather then downloading a 9.7mb RSS app. But laments that SOP/CORS is Good in the end. Unless your insane you shouldn’t make tiddlywiki do EVERYTHING (I’m insane, the is a road block not a stopping point 
.)
