That’s… not what cors does? CORS will only block browser-mediated “non-simple” requests, they don’t prevent other systems from accessing it as long as they don’t use a browser (or disable CORS in a headless browser).
That’s… not what cors does? CORS will only block browser-mediated “non-simple” requests, they don’t prevent other systems from accessing it as long as they don’t use a browser (or disable CORS in a headless browser).
I'm pretty sure they understand that since they wrote that the resources will need to be proxied.
They just want to prevent hotlinking/leeching.
SOP does not prevent hotlinking in the first place, a hotlink is simple request (the most simple if anything), CORS isn’t going to be in the path at all.