Hey all, sorry in advance for the noobie question. I’m reading through the Solid specification and one of my immediate thoughts was, “one does not simply mandate permissive CORS from all implementations. Doesn’t that open all servers up to widespread DDOS-via-XSS by default?”
That said, I don’t know much about WebACL. I suppose if ACLs are sufficiently cacheable and allow a similar granularity to CORS, it might be fine.
Can anyone help me understand how to think about this and conceptually board the WebACL train? 
