There’s few implementations of the engine, but many implementations of rules for that engine.

I think OPs point is that many of those rule sets probably don’t do what the author intended.

I would second that, because CORS questions are common and “turn on the allow all pattern” is almost always in the top 3 suggestions.

Semi-related tangent, it annoys the hell out of me that create-react-app (and the newer incarnation) don’t come with an “allow all” CORS rule. Don’t force me to figure out which arcane setting configures CORS headers, I’m the one writing the code, I’m okay with wherever the HTTP requests are going, I’ll set up real CORS headers on nginx for prod.