[inetknght]

You really think a server-controlled CORS list will protect you from a client-side configuration issue?

[bastawhiz]

It's not a client side configuration issue. You're not protecting against software the user has installed, you're protecting from arbitrary origins hitting the hostname. That's literally the exact reason cors exists.