Right - it is a good safety feature. Also worth noting that responding with a wildcard will not allow you to set cookies in the browser when using `withCredentials` in the client and `access-control-allow-credentials` on the server. You've got to return a specific origin (one that is a match in your whitelist)
CORS allows you to whitelist what domains you accept certain requests from. This is a good thing.
One thing I never understood really is why a webpage is able to load scripts from a different domain. That will I suppose remain a mystery to me forever. Imagine how many fewer ads and junk we might see.
What are you skeptical about? That this person's friend is actually injured? That it happened because of tesla? People get injured at work. Maybe not where YOU work, but it absolutely happens.
Also, the subtext of your comment - that this person OF COURSE would have contacted a news organization if their claim was legitimate is frankly very weird.
Furthermore, the very existence of these credit agencies should be sincerely alarming to most normal people, and probably already is. These databases should not exist.