Cors in general is broken in general and for numerous reasons but on the client side more than server side.
Cors should be good. Cors could be good. But its primitive, difficult to write with when dealing with things such as Hybrid mobile development. If Web Services need a header acceptance policy solution then drop the same origin policy anyway and make it a totally separate thing. Make it so same origin resource sharing on the local side is blocked by default with an established white-listing system in place the also records management of how the resources are used would be even better!
You can get some of that that with the inspection tools on Chromium now but it would be far better if it was more definitive. E.G LocalStorage we could know when requests are made rather than just seeing the variables change.