WS does have its own way of cross-domain opt-in. I think it users slightly different headers than CORS for historical reasons but effective does the same.

That a script is able to gather information about an origin that did not it in seems like a serious bug to me.