Okay, this is a good idea, but how would it handle legitimate requests to other domains?

Issues: - some users would click allow anyway, so it doesn't completely solve the problem - what about apps built using CORS.. etc