Why is CORS the way it is?

Question

I understand the problem CORS is trying to solve, but I don't really understand the implementation. The main problem for me is the decreased performance as a result of preflight requests. In order to avoid them, as far as I know you have to resort to hacky solutions like tunneling everything through POST requests with mime type text/plain, or using query params like ?delete=true. These solutions are easy to implement, but hacky and dangerous.Since it's so easy for developers to circumvent, why did browser vendors force this solution on everyone, rather than leaving cross-origin security up to developers, or at least making CORS opt-in?What am I missing here?

evnix · Accepted Answer

Send cache headers in the preflight response so the browser doesn't keep requesting it.
> Since it's so easy for developers to circumvent But not for hackers trying to inject JS into insecure webpages.
But I do get your point, there should have been a better implementation, I have the same complaint against HTTPS (makes development unnecessarily complicated).