CORS is counter intuitive. I don’t think there is a better way to solve the problem, it is just a difficult to understand problem.

CORS errors occur when JavaScript in the browser attempts to call a server which is not configured to allow it. But the check is purely client-side. You can circumvent it entirely by using curl or whatever outside the browser.

For example the server sends a header indicating which domains it allows requests from, but it does not actually check if requests are from those domains. It is the responsibility of the client to check its domain is allowed.

All this make it seem like a pretty useless security feature, unless you understand the very specific kind of attack this protects aginst.