Has CORS Solved Anything?
Personally I see it only as something that needs to be implemented on the server so the browser doesn't error out and the user won't freak out. Beside that it's just like a lock on a door... in a house... with no walls.... in the middle of a desert... on mars.
It's a necessity that when implemented improperly leaves a sizeable security hole.
I recently got a bug bounty for finding a CORS vulnerability and showing a proof of concept phishing site that uses all of the resources from the genuine origin. The site was accepting a wildcard origin whereas it should've used a whitelist.
All I have to do is put a proxy in front of your API and strip all your headers off and send responses anywhere I like. Given that, how can CORS be "security"? It's totally insecure.
It is CORS that restricts running foreign javascripts in your page. Clearly a win