Checking for malware and exploits at distribution time is not always reliable, either, as the malicious content can be swapped in any time after publication, unlike resources that come embedded in the EPUB Container.
+The origin of an EPUB is both unknown to the EPUB Creator and
+ specific to each Reading System implementation. Consequently, if the EPUB Creator hosts remote
+ resources on a web server they control, the server effectively cannot use security features that
+ require specifying allowable origins, such as headers for
+ CORS,
+ Content-Security-Policy,
+ or X-Frame-Options.
Calls to remote resources can also be used to track information about users (e.g., through server logs). Reading Systems should limit the information they expose through HTTP requests to only what is essential to obtain the resource.
+The origin of an EPUB is both unknown to the EPUB Creator and
+ specific to each Reading System implementation. Consequently, if the EPUB Creator hosts remote
+ resources on a web server they control, the server effectively cannot use security features that
+ require specifying allowable origins, such as headers for
+ CORS,
+ Content-Security-Policy,
+ or X-Frame-Options.