Is CORS still a security concern with the v2 API?

I’m aware of this thread: CORS issue in Patreon API [SOLVED] which was resolved with:

We intentionally not support client side requests for security reasons.
We will allow that once we implement client tokens which have a different OAuth flow and will allow some interesting features with it.

However I believe this related to version 1 of the API which I believe required both Client ID and Client Secret to be exposed. In version 2, only the Client ID is required, but I’m still seeing a CORS error when attempting to call https://www.patreon.com/oauth2/authorize client-side.

Is this still a security concern and does this CORS block still need to be in place for the v2 API?

Disclaimer: I used to be a Patreon employee who worked on the API

The reason CORS is disabled is because Patreon API does not support “client tokens” that enable safe usage of access tokens. The issue is the tokens, not the API itself.

Client tokens usually are short lived (normally for 30 min) and are passed via fragment url argument to avoid them being logged to a server, and are only normally used via javascript and CORS.

I hope this helps.