Is CORS a secure way to do cross-domain AJAX requests?

Question

After reading about CORS (Cross-Origin Resource Sharing), I don\'t understand how it improves security. Cross-Domain AJAX communication is allowed if the correct ORIGIN head

Answer 1

I am late to answer but I don't think any post here really provides the sought answer. The biggest takeaway should be that the browser is the agent that is writing the origin header value. An evil script cannot write the origin header value. When the server responds back with a Access-Control-Allow-Origin header, the browser tries to ensure that this header contains the origin value sent earlier. If not, it triggers an error and does not return the value back to the requesting script. The other answers to this question present a good scenario to when you would like to deny an answer back to the evil script.

@daniel f also provides a good answer to the question