If I have a JSON API that's protected by "Authorization: Bearer XXX" API tokens, what are the arguments against sticking these headers on it?
```
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Authorization
```
I want users of my API to be able to access it via JavaScript from any host
The best argument I can think of is that it may encourage people to leak their private API token in publicly visible HTML documents, anything else?