One situation in which it fails is in the universal javascript environment. To the best of my knowledge, the server is unable to prepare the closure in a way that is not susceptible to locally changing the source code. While CORS would protect the server from processing request made by a malicious local host, something just feels wrong about storing the authentication information in generated source code. If you have any other ideas or solution, please comment.