I fear the section on CORS might lead some readers to do what so many first do with CORS: set that permissive header for all HTTP responses in their server config instead of just the response for the feed URL.

This is my sad face when I read 'use URLs as entry IDs'. URLs are a terrible permanent identifier because all sorts of things wind up changing them, even in the context of feeds. (Feeds are less dangerous because things expire out of feeds, so old entry IDs do eventually disappear, but.)