Yeah, this aspect of CORS is almost never properly explained.
First off, it's not about the authentication cookie. It would be simple enough for browsers to just omit cookies in cross-domain requests.
Here's an example of a real issue:
1. You have a network-attached storage device on your LAN.
2. Because the device is not accessible from the public internet, you have decided not to enable authentication. Anyone on the local network can issue requests.
3. You visit a malicious website.
4. That website's JS makes network requests to your device.
Basically, when you run JS in your browser, it's using your computer's network context. That context may have privileges that not everyone has (e.g. authentication based on source IP). You don't want random JS code to have those privileges.
First off, it's not about the authentication cookie. It would be simple enough for browsers to just omit cookies in cross-domain requests.
Here's an example of a real issue:
1. You have a network-attached storage device on your LAN.
2. Because the device is not accessible from the public internet, you have decided not to enable authentication. Anyone on the local network can issue requests.
3. You visit a malicious website.
4. That website's JS makes network requests to your device.
Basically, when you run JS in your browser, it's using your computer's network context. That context may have privileges that not everyone has (e.g. authentication based on source IP). You don't want random JS code to have those privileges.