"Whenever I start thinking about CORS, my intuition about which site hosts the headers is incorrect, just as you described in your question. For me, it helps to think about the purpose of the same origin policy.
Sometimes you need to work cross domain, which is where CORS comes in. CORS relaxes the same origin policy for
domainA.com, using the
Access-Control-Allow-Origin header to list other domains (domainB.com) that are trusted