I’m not too studied-up on CORS, but I know what it’s there for. Currently there’s a number of things that are not possible to do because our generator is on a different subdomain than other generators or iframes, etc. etc. and even the top-level page we’re actually on.
With that allowed (I think CORS can allow this), there’s a lot more customisation we can do of things like t2i image iframes and gallery iframes, reading/changing the top-level url, etc. Maybe that’s something you don’t want to allow, but I for one have wanted to do these things for completely benign legit reasons multiple times.
Just so you know, iframes are pretty much how all of perchance works. So yeah… they’re fine with iframes 😅
As for CORS and such, yeah I’m not completely up to speed with it either. Just handing it over to the dev who’s in here too, to figure out how they want to handle such things, if at all. We’ve been discussing various methods without CORS that would still expand the capabilities to do interesting/useful (but safe) stuff.