What is CORS?
The first step in understanding CORS is knowing how some security features of web browsers work. By default, web browsers do not allow AJAX requests to servers other than the site you’re visiting. This is called the same-origin policy and it’s an important part of the web security model. In fact, the same-origin policy is deployed to over a billion devices all over the world and has proven to have a solid track record in terms of exploitation.
A Security Risk
Now imagine your mail-sending API is in api.yourwebsite.com. This is where it gets a little trickier because the same-origin policy will block the AJAX request. You want to enable AJAX requests from yourwebsite.com and one way to do that is using CORS.
In your mail-sending API, api.yourwebsite.com, you decided to let everyone access your API instead of only yourwebsite.com. Is this harmful?
Well, it depends on how you implemented the authentication for mail sending. If you are using authentication based on session cookies, you probably shouldn’t allow CORS requests by everyone. A malicious website can issue e-mail sending requests to api.yoursebsite.com via an AJAX request without the specific permission of your user.
If the user has valid session cookies in their browser, they will be used to authenticate on api.yoursebsite.com and that would lead to unwanted e-mail sending.
Read more in