Before you tell me about Access-Control-Allow-Origin and whitelisting, assume for the sake of argument that I can't touch the HTTP headers.
This is a hypothetical question.
My question:
So I can make an ajax request from website.com to app.website.com. but I have a second website, website2.com, which would also like to make an ajax request to app.website.com
If I were to create two CNAME records for app.website.com so that app.website2.com would point to the same app, could I then make an ajax request from either domain without necessitating the setting of Access-Control headers?
As far as I can tell, the only problem would be a possible SEO penalty from Google for not having a canonical URL for app.website.com, which is irrelevant as in my thought experiment it's basically just an endpoint.
Anybody illuminate me?
If you comply to the same hostname restriction (including the subdomain) then you can indeed use a CNAME to allow both domains to point to the same server.
If your question is about whether the name resolution of the CNAME is of importance for the CORS, then answer is "no it is not considered" and thus you can use this trick.