Cross-Origin Resource Sharing (CORS) - am I missing something here?

Question

I was reading about CORS and I think the implementation is both simple and effective.

However, unless I\'m missing something, I think there\'s a big part missing from th

Answer 1

I share David's concerns. Security must be built layer by layer and a white list served by the origin server seems to be a good approach.

Plus, this white list can be used to close existing loopholes (forms, script tag, etc...), it's safe to assume that a server serving the white list is designed to avoid back compatibility issues.