Understanding CORS
First of all, the cross domain check is performed by the browser, not the server. - SO
CORS - Why Is It Needed?
Security Risk Scenario:
In your mail-sending API, api.yourwebsite.com, you decided to let everyone access your API instead of only yourwebsite.com.
If you are using authentication based on session cookies, you probably shouldn’t allow CORS requests by everyone. A malicious website can issue e-mail sending requests to api.yoursebsite.com via an AJAX request without the specific permission of your user.
If the user has valid session cookies in their browser, they will be used to authenticate on api.yoursebsite.com and that would lead to unwanted e-mail sending. In most cases, dangerous requests will be “preflighted,” which means the domain needs to be approved before they can even send a request. This will prevent any malicious activities from happening.