One  situation in which it fails is in the universal javascript environment. To the best of my knowlege, knowledge,  the server is unable to prepare the closure in a way that is not suseptible susceptible  to a change in locally changing the  source code. While CORS would protect the server from processing request made by a malicious local host, something just feels wrong about storing the authentication information in generated source code. If you have any other ideas or solution, please comment.