So for web-based PKI applications to properly validate chains they need the ability to fetch crypto evidence such as CRLs, OCSP responses, and sometimes intermediate certs.

This is problematic because the browser enforces the same-origin policy (as it should) which means a web application can not fetch these bits of evidence. The browser provides a mechanism to bypass this limitation, it is called Cross-Origin Resource Sharing (CORS).

The thing is virtually no certificate/CRL repositories or OCSP responders set the CORS policies in such a way to allow web applications to request these resources.

This means that for a digital signature application, for example, to work reliably, all necessary evidence should be embedded in the document so no additional wire connections are needed.

In the context of digital signatures, this is a requirement for what are called Long Term Validation (LTV) signatures. The problem is that even LTV signatures often do not contain this information. In other words, they claim to be LTV but are not.

In general, though, I believe CAs should allow CORS requests to their repositories, these repositories exist for the purpose of resource sharing and this is the mechanism the web gives for that.

Absent that, web-based PKI applications either need to provide an authenticated proxy in the same origin that can fetch these resources for the client or an unauthenticated one.

Both are not ideal as they can potentially be used as a tool to attack another site, of course, an authenticated one is better in that regard.