You can if you want to deliberately CORF yourself for some reason - it's there to protect you, but spoofing it doesn't give you any special access you wouldn't otherwise have.
The point is that arbitrary user's browsers out in the world won't spoof the Origin header, which is protecting them from CORF attacks.
Maybe it you're running Windows XP, but that is absolutely not true for a supported version of Windows. It is absolute FUD to say simply connecting a Windows 10/11 machine to the internet will cause it to be automatically infected.
Been enjoying playing a couple games of Seven Wonders Duel so far, but one immediate issue is that there is no way to unsubscribe from the emails telling me it's my turn. I've already got browser notifications turned on, so these emails are filling up my inbox fast.
I've also reported a couple bugs so far, the main one being not being able to build Wonders even though I have adequate resources, but other than that, amazing work! I'm keen to implement a game myself sometime soon.
There is nothing about HTML/CSS/JS that prevents simplicity. It is purely how it has been used and abused. You can also disable JS and use user agent stylesheets in any modern web browser.
Sadly, boardgame arena also pushes advertising for new games and features through the notifications as well. I'm sure it's possible to disable specific categories, but it unfortunately undermines their value even more when otherwise legitimate sites still somewhat abuse push notifications.
The point is that arbitrary user's browsers out in the world won't spoof the Origin header, which is protecting them from CORF attacks.