If I understand correctly, you're talking about making HTTP requests from code running in the browser to a third-party API.
Whether you're doing WASM or Javascript, you use fetch() and need to have your CORS ducks in a row. How exactly you call fetch() depends on your toolchain, but anything trying to be general-purpose will expose it somehow.
Thanks for clarifying. I hope that one day there is a way to securely make those kinds of requests in the client side. Until then I'll be using a proxy to strip the cors headers.
