Isn't CSP controlling what you can fetch FROM your website? The proxy in the example I mentioned can act as a simple web browser behind the scenes. Unless I'm missing something.
Not claiming it to be novel or new at all. Just trying to understand. I'll think about CORS. Meanwhile my thought - correct me if I'm wrong, is that CORS would be irrelevant since on behalf of bank.com it is simply controlled by a regular viewer. While the real user is just telling the proxy where to click and what to do.
CORS policy would say "okay end user, you can load everything from me, but also get jquery from <some jquery CDN>. no resources can come from anywhere else".
It's not a bad idea to just put in a CSP (always put in a CSP!), CORS policy, and Same-Origin. This is configured on your app rather than server (usually).
MDN is one of the better resources for this, and links out to other authoritative resources in the additional info section of a directive.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...