I'm nearly positive that CORS from localhost works OK. I set this up all the time for local development. For example, I run a client CRA app on localhost:3000 and an API on localhost:3001. The API sets the CORS headers and the CRA app can make requests to it.
Maybe I missed something but if they could have done this the right way and didn't that is much worse IMO...
CORS is hard, I've struggled on it several times, and I'm not surprised an engineer gave up trying to fix it because of deadlines.
If you have a CORS enable server on localhost you can make requests to it from http://www.test-cors.org
The image hack seems like a lot of work to go through to make an app LESS secure.
If they set CORS to allow interaction from anywhere, why use an image and not load data with js?
> One potential hiccup I encountered was that Firefox blocked my XHR request due to a policy against "mixed active content". This was because my origin site was accessed through an HTTPS connection and the localhost server was only HTTP. That's one potential reason Zoom might have opted to use their <img> garbage; since <img> elements are passive not active content, they could avoid using HTTPS on the localhost webserver. That's not a good excuse, but clearly they weren't interested in finding a good solution -- whatever the problem that prompted the <img> hack was.