Thanks for your reply!
Too bad there isn't a function like that. I think it would be quite useful, since the majority of API's out there don't allow direct cross-origin access.
Before I mark your reply as the correct answer, I feel I must object to your claim that it wouldn't matter - servers or desktop applications normally don't enforce any same-origin-policy like browsers do. If Qlik's desktop or server application did that, they wouldn't be able to use external web API's as data sources in normal load scripts either, and they certainly are able to do that. Right? Or maybe I just misunderstood your comment.
Well what a browser can't do is to "fake" it's origin if that's what you mean.
But a normal API would implement some kind of re-write on their end to accept different http origins.
I admit that CORS used to be a more important issue but with modern browsers, and the ones Sense supports, that implement html5 it's a lot less of an issue these days. The XMLHttpRequest supports all kinds of cors requests these days.
But if you can provide a good use-case then sure, we can put it into consideration!
Opening up your server to external http traffic feels scary though...
The API I was trying to use in this was a weather API at met.no, see https://api.met.no/weatherapi/documentation.
In the end, I went with another weather API - Yahoo Weather, which supports CORS, but has less data with less precision for my use case. I shouldn't talk about what's more common because I don't know, but I'm sure there are plenty of potentially useful API's out there that still do not support CORS.
What people normally do when they want to use an API like that as part of a web application is that they let the web server do the request instead, acting like a proxy and passing the result back to the client. The web server has no problem with making a request to any public URL.
My though here is that the QV/QS desktop or server application could do the same thing, since it has the same role as a web server to some extent. After all, QV/QS can make requests to API's like that when executing the load script. So that's the idea that you could take into consideration, if you want.
And, just for arguments sake, I'm not quite sure how web servers and other applications like curl and such do it, but my understanding is that it is the browser that enforces the CORS policy, adds the special request headers and respects the response headers. It only does this on AJAX requests, not in requests for resources like images or scripts, so it definitely COULD do it. I know that in Chrome, you can even bypass this behaviour with special startup flags, which will then allow the client to do any cross-domain requests it wants. This is off course not a way to solve any problem here, but just to illustrate.