Allow use of https://check.torproject.org/api/ip by content
I would like to create a page on another domain that demonstrates stream isolation in Tor Browser. This is the mechanism whereby each website is downloaded via a different Tor circuit, but a web page in an iframe is downloaded via the same Tor circuit as the first party parent document was.
Right now, https://check.torproject.org/api/ip cannot be included in iframes or fetched by a script in a web page.
So I would like to propose setting
Access-Control-Allow-Origin: *
and removing the X-Frame-Options
header
for this particular endpoint.