At that point, if I wrote my own proxy server, I'd drop the JS altogether and just request a proxy link. I know what's cross-origin in my code, so if I wanted to mitigate it with a proxy, I don't need the additional library. Still say your best bet is losing the JS and opening up the server. I mean, what's going to be better here, telling everyone "it's a trust issue", or passing on a relatively simple self-hosted proxy server made specifically for CORS-faking? Else, my big trust question is "why exactly do you WANT me to forward my traffic through your black box server?"