I did some reading on CORS and I think I understand how they can restrict which origins the requests are coming from.
However, allowing the cross origin calls from the browser increases a possibility of XSS:
a person with malicious intent injects some JavaScript into a page to steal users' cookies and send them to a URL he controls,
all he has to do is add the following header Access-Control-Allow-Origin: *
on the server side to make the request work.
https://security.stackexchange.com/questions/108835/how-does-cors-prevent-xss
The scenario that CORS is preventing is different:
For example, the victim logged into their bank's application. Then they were tricked into loading an external website on
a new browser tab. The external website then used the victim's cookie credentials and relayed data to the bank application