They can still prevent you from sending requests from another domain by looking at the origin header. AFAIK, origin inspection is actually more secure since no OPTIONS request is sent for GET requests. If CORS doesn't allow a GET request, what typically happens is the request is still made, but the browser tells the requestor that the request failed. Therefore, you could get timing attacks or something and you have to deal with additional load. Just inspecting the origin header can be done with a lot less resources than looking up a bunch of data in the database to service some request.