From what I can tell, the CORS settings only apply to the API, the tracking script
piwik.js is not served with the
Access-Control-Allow-Origin response header.
I would like to use the
integrity attribute on the tracker script, to make sure it has not been tampered with, and it requires the resource to be served with CORS headers.