@silverpill when I fetch mitra actors from the browser with JavaScript fetch, it disallows them due to the server not allowing CORS pre-flight requests.
When I was adding support for Django's C2S client, it became apparent that if we want objects be accessible form in browser clients, the servers need very relaxed CORS policies. I defaulted to accepting all https:// ... but I'm thinking about rules based on the actor's followers perhaps..