I think your Tinfoil hat is misplaced. CORS was a hack added to fix the "bug" that cookies are sent cross-origin by default. Without CORS (and modern per-origin cookie jar policies) evil.example could load up https://facebook.com/api/friends.json and get a list of your friends or profile.json to read your profile. CORS was an ugly bandaid to prevent this without breaking existing sites.
I agree that CORS is a pain and a mess but it had very clear and non-nefarious benefits when it was introduced. Maybe when all browsers only support origin-isolated cookie jars it can be obsoleted but I wouldn't hold my breath.
I agree that CORS is a pain and a mess but it had very clear and non-nefarious benefits when it was introduced. Maybe when all browsers only support origin-isolated cookie jars it can be obsoleted but I wouldn't hold my breath.