I am not fluid in CORS, but I do not think it solves the problem since the POD server actually wants to serve all ajax requests for all apps. See for instance https://github.com/solid/solid-tutorial-angular/blob/master/solid_spec.md#cors---cross-origin-resource-sharing.
The default behavier on the web is “Same origin policy” (see https://en.wikipedia.org/wiki/Same-origin_policy) - but in Solid we actually want “Any origin policy”.
And it makes sense to allow it too. Assuming two apps https://app-a.com and https://app-b.com: to allow both to work with my POD at https://my-pod.com, the POD server has to allow requests from each app. And I do want both apps to be able to access my POD - but only a sub-set of it (namely “My contacts” OR “My memos” - not both).
I am pretty sure Solid apps could identify themselves by a certificate exposed by the server they are served from - and Solid apps could in principle use that to make authenicated requests to my POD where they BOTH pass my credentials, to access my data, AND some “app token” that can be verified by their corresponding server side certificate. The POD server could then slice the data by assigning each Solid app their own private share of my POD data.
And on top of that we then need the ability to grant different apps access to each other’s data.
/Jørn