Despite the costs of doing preflight opt-in on a per-resource basis rather than a per-origin basis, to meet its security goals, CORS proposes to do preflight on a per-resource basis. I have seen the rationale for this stated in bits and pieces. Can anyone point me at a reasonably self contained statement for why we need preflight on a per-resource rather than a per-origin basis? If there's nothing adequate to point at, could someone state a reasonably self contained rationale for this? Thanks.
-- Cheers, --MarkM