@s{quotedtext}
@s{quotedtext}
CORS support doesn't change this.
IF the browser has a bug that lets JavaScript code read the local filesystem, THEN JavaScript code can get your rpc username/password from your bitcoin.conf file.
And IF the JavaScript code can do that, then it can send rpc commands to bitcoind running on localhost (because, surprisingly, the same-origin policy does NOT apply to localhost: urls-- we learned that lesson here six months or so ago).
That is all true right now, with the released bitcoin/bitcoind.