Restrict requests to same-origin by default

[lexidor]

Take from Web Security Basics by htmx dot org. "Only call routes you control"

The fetch API supports a mode same-origin. If this mode were the default, this best practice would be enforced automatically. This Issue suggests adding a single line to the core library. mode: "same-origin", to the initializer of the cfg object.

An extension which will unset this property ought to be provided in the README. This allows people to opt-in to the lax model. This is needed to support use of fixi where multiple origins host one application fx-action="my-beta.domain.com/resource".