Suggest setting the CORS header (Access-Control-Allow-Origin)

[ChristophKaser]

It might be helpful to mention the Access-Control-Allow-Origin-Header in the specification under 2.3, maybe like this:

The response should also set the Access-Control-Allow-Origin to * to allow consuming the API from javascript clients running in the browser.

At the moment, some providers have set that header, but a large number of them has not. Without the header, the response can only be consumed by a server client or standalone script, but not in the browser.

[tomerle]

This would be very "welcoming" for public content, but might impose a security issue for private content, and also lead to other concerns like making this CORS support detectable from the client.