The recent progress on CORS has been much appreciated, but the set of usable cross-origin APIs is quite small and provides limited value. It's apparently not possible to make a request to figure out the membership ID of the end user since those APIs are all private and require the disallowed X-CSRF header. The OPTIONS preflight responses indicate that Authorization is an allowed cross-origin header, and the unofficial API docs suggest that per-Application authorizations are coming (potentially even with bog standard OAuth which would be so great). Is there any rough timeline for these things to materialize with or without documentation? I'm about to embark on a kludgy journey to allow users to "link their Bungie.net account" by having users manually set status strings to some given token. I'd give anything for a better option.