A CORS policy never blocks anything. A CORS policy can only open up new ways to access a resource, so I take your question to mean what does it mean if I open up a backend service to CORS access.

It depends on the way the CORS policy is written. Access-Control-Allow-Origin on its own rarely introduces any issues, however many policies which are transitioning from cookies include Access-Control-Allow-Credentials , which would mean you’re even more vulnerable to CSRF issues unless specially protected.

If your CORS endpoint reveals information about the user’s IP address, or information you have on the user then that’ll be free to access too.