I try to understand why CORS is working in way that it works.

As I learned from this post, when page from www.a.com makes AJAX request to www.b.com, then it's the www.b.com that decides if request should be allowed or not.

But what is exactly secured on client in such model? For example, hacker success to make XSS script injection to my page, then it makes AJAX request to his domain to store user data. So hackers domain will allow such request for sure.

What I thought, that it's a www.a.com should decide to which domains to allow the request and to which no. So in theory within a header Access-Control-Allow-Origin I would like to put the whole list of the domains that allowed for AJAX CORS requests.

Can someone explain what security problems should current CORS implementation handle?

Thanks

I am trying to understand why CORS is working in way that it works.

As I learned from [this post][1], when page from www.a.com makes AJAX request to www.b.com, then it's the www.b.com that decides if request should be allowed or not.

But what is exactly secured on client in such model? For example, if a hacker succeeds to make an XSS script injection to my page, then it makes an AJAX request to his domain to store user data. So a hacker's domain will allow such a request for sure.

I thought that www.a.com should decide to which domains to allow the request to. So in theory within a header Access-Control-Allow-Origin I would like to put the whole list of the domains that are allowed for AJAX CORS requests.

Can someone explain what security problems the current CORS implementation handles? [1]: http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/