What is the concern with CORS?

[olalonde]

Threat Attackers may use the API to by-pass third parties' CORS policies.

Mitigation We could forbid the API from being used for TCP with the well known HTTPS port, whenever the destination host supports CORS.

I don't get it. Isn't the whole reason for CORS "Resource Sharing" (e.g. indirectly using resources like cookies belonging to another domain). With direct sockets, no shared resource is being accessed, all the browser does is open a TCP connection (e.g. no cookie accessed or sent anywhere).

I can understand that TCP connections could be abused by some websites (e.g. using your browser for spamming, accessing unsecured local services, etc.) but this can be solved with a permission style popup just like with the geolocation or webcam APIs.

But I don't get how it has anything to do with CORS or why some arbitrary ports should be blocked.

[GrapeGreen]

This section is quite old and is no longer relevant under the current security model - I will update this soon.