Trying to access the browser integration via JavaScript on musicbrainz.org gives a cross origin error:

Access to XMLHttpRequest at 'http://127.0.0.1:8000/' from origin 'https://musicbrainz.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

This can be resolved by the browser integration by setting a Access-Control-Allow-Origin response header.

While the current integration does not require this (the browser integration is just a link), having this supported would allow more flexibility for the future. E.g. the website could check if Picard is available, as I have prototyped with a user script.

See:

https://community.metabrainz.org/t/bring-me-a-green-tagger-button/478155/16

https://github.com/phw/musicbrainz-auto-tagger-button

We should consider restricting the possible origin hosts to accept.