Just beeing curious here.
Today, I was a bit buffled being able to write new Joplin notes despite not having passed the authentication token, which lead to the source code research. A more consequent (in my eyes better) strategy would be:
const whiteList = [['GET', 'ping']];
Though I only use the REST API from an external application, so I cannot say anything about Webclipper.