Timing attack on the preflight.

You really think a server-controlled CORS list will protect you from a client-side configuration issue?