I understand that the Same Origin Policy is important and that web servers need to enable CORS to get around it, I just don't understand why servers do not liberally grant CORS requests.
If I have something like an API, why do I care who, what site, or in what manner someone requests details from the API?
Same Origin Policy is a big deal - not just a big inconvenience. If you don't want your assets and API to be used by everyone else outside of your domains then you don't want to liberally grant CORS to everyone.
Even if some asset is public in some manner, you don't want it to be used and abused by other websites, if nothing else because bandwidth comes with a cost.