After reading a lot of documents from MDN and CodeAcademy I still do not fully understand what the CORS handshake actually protects against.
I understand that the mechanism shall protect the browser from requesting resources that are located at a different origin without further controls.
Furthermore, as far as I understand the specification, the access control decision is fully evaluated by the server that is target of the CORS request. For example, if the server replies with the "Access-Control-Allow-Origin" header set (e.g. to "*") the browser will be allowed to handle the response.
Here are two scenarios that raise my questions:
With this both scenarios mentioned, I wonder what CORS really protect against. And I wonder if it would be more safe to reject requests from prohibited origins and send an adequate HTTP status (e.g. 403 Forbidden) within the response.
Probably I am missing something but I'd be grateful for any hint in the right direction.
In response to your points:
CORS is concerned with preventing cross-origin access. In this scenario, say you're accessing goodserver.com, they will be serving you the content, and they are therefore the origin in the jargon. Presumably then they're not going to serve you anything that talks to evilserver.com. Note that CORS is therefore not trying to prevent cross site scripting - in which an attacker somehow puts code on your origin that does talk to evilserver.com.
CORS is implemented in your browser, so as an evil person, you'd need to write a browser and persuade people to download and run it. However you're right that if you write a native app, or use HTML forms you'd not benefit from CORS security.
Your question does highlight though where the CORS system relies on trust and that's worth bearing in mind.
You might find this helpful, as they walk through the process: