I did not really understand CORS until I sat down and wrote a server implementation of it and had to think hard about "what hooks should be exposed to developers for controlling it?"

Most of us I think just "expose a set of whitelisted origins and be done with it".

Here is where I landed for how to specify your server's CORS policy:

https://soklet.com/docs/cors#custom-workflow