doc: IMPORTANT WARNING

src/index.ts

@@ -905,6 +905,9 @@ function removeContentSecurityPolicy(
     delete details.responseHeaders['content-security-policy-report-only'];
     delete details.responseHeaders['content-security-policy'];
 
+    // FIXME: This allows all origins to bypass the CORS policy, which is not secure.
+    //        If a third-party origin is embedded in any way, and has JS code that is executed, it can potentially steal your google account.
+    //        DO NOT MERGE until I've properly figured this out, it shouldn't be that hard to fix.
     if (details.frame?.url && new URL(details.url).protocol === 'https:') {
       delete details.responseHeaders['access-control-allow-origin'];
       details.responseHeaders['access-control-allow-origin'] = [