Giving people directly control over headers is a security risk so I would prefer to have a something a bit more strict. Additionally, we have a lot of newer (and tired!) game devs uploading HTML5 games. I don’t want to push them into writing configuration files because it’s going to result in broken games, confusion & support tickets. Ideally something that transparently works.
On closer inspection I see that the document hosting the game must include those headers, and not the WASM code itself. I think that it’s probably safe to just apply those headers to all index.html files extracted for HTML5 games.