Would it be a terrible idea to amend BIP 70 to suggest implementors include a "Access-Control-Allow-Origin: *" response header for their payment request responses? I don't think this opens up any useful attack vectors.

I ask because this would make it practical for pure HTML5 web wallets to use the payment protocol entirely in-browser. Without this I think it would be necessary for the server hosting the wallet's HTML to fetch payment requests on the browser's behalf. This is somewhat inelegant and has security/resource implications for the back-end.

-Andy