A consumer is trying to call my REST API from client-side code (Javascript / Jquery). Now, as expected - they receive a security error because of the Same Origin Policy.
I know one workaround is for the API to respond with JSON-P.
Would adding Access-Control-Allow-Origin: * to the header also fix the issue? Is it a better workaround?
Unless you have a specific list of domains that you want to allow access from while restricting access from all other domains I would stick with JSON-P. In my experience CORS has spotty browser support and can be finicky to implement.