Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin (domain, protocol, or port), access to selected resources from a different origin.
A web application executes a cross-origin HTTP request when it requests a resource that has a different origin from its own.
The main functionality of the CORS policy is to prevent Site A from requesting data from Site B through most commonly an AJAX request.
Essentially it can be used to steal credentials, API keys and other malicious activity.
Additionally you could use an iframe as well to frame content from another site (if they have a misconfigured or poor CORS policy) allowing you to directly steal credentials, clickjack and a variety of malicious activity.
Portswigger has a great article showing how CORS can easily be exploited when misconfigured.
This is possible and easy to do with the Cross-origin resource sharing (CORS) headers — the most common being Access-Control-Allow-Origin, Access-Control-Allow-Methods and Access-Control-Allow-Headers.
Continue reading A Quick Glance at Cross-Origin Resource Sharing Security Headers at Sucuri Blog.