You really think a server-controlled CORS list will protect you from a client-side configuration issue?