Thanks for the explanation @jashkenas — Lack of allow-same-origin seems to prevent me from using OAuth to Google APIs (like this working example in Codepen), so if there are ways to safely ease the restrictions in the future, that would be much appreciated!