Doesn't CORS generally send an OPTION request first to see if the target site even allows the requests, thus preventing this? That's what I've seen when trying to work around browser CORS limitations.
only for ajax requests that are not "simple", that is requests that cannot be sent w/out JavaScript. The sending of this OPTIONS request is referred to as a pre-flight. A more through description at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS