The /ws/js/edit endpoint is currently prone to CSRF attacks and can be used to submit edits without any review by the user. It would make sense to restrict external-origin requests to this endpoint to bot accounts as those have been specially approved to mass-submit edits. This would mostly solve the issue of external origins being able to trick users into submitting edits, because bot accounts are much less likely to fall victim to that. (They aren't likely to even be running in the context of a web browser.)