Yes, but if ads do it, that would at worst make the ad server vulnerable, not your server.
replyYou apparently understand less than me. The little I do understand is that CORS is protection for a site's user, not the site.
replyIt's a protection of site's business model.
reply