alt Hacker News>GET requests will be sent, but they are supposed to be idempotent so if your server is implemented in a sensible way, it cannot cause any adverse effect, and reading the response is all that matters for GET requests.
Just my first thought as a security engineer, but sounds like a perfect opportunity to execute a timing attack to me. For example, vheck which users exist (by measuring response time for /api/users?name=john) etc
Probably, but note that cross-domain GET-requests have been supported since the beginning of the web, since this is literally how links works.
So while a badly implemented GET handler can indeed cause security issues, this is old news and unrelated to CORS.
(Besides, why measure response times? Can’t you just check if api/users?name=john returns a resource or a 404 not found?)