Is it typical that an implementation of a Redfish service include CORS?
The use case for this is when you're writing a website (see Swordfish-basic-web-client) and you'd like to access a Redfish service that isn't on the same server that serves the web pages, then the Redfish service has to allow enable CORS to ensure that a user's browser can send AJAX requests and successfully retrieve the data.
What are the security concerns for enabling CORS on the Redfish service? I would consider allowing '*', which allows any server to write a web client front end that consumes a Redfish service -- is this a poor security practice? I'll come back and report on this one.