but now one can just use a completely different domain
yep. back in the day, if you had an app running on thing.example.com you couldn't even talk to api.example.com, you had to set up proxy stuff so that thing.example.com/api would end up making calls to the right server, or you could start pulling from the bucket of rather cursed techniques to achieve cross origin communication anyway (JSONP or iframe postMessage depending on the era)
How would a site like say, Twitch, operate without CORS?
so, for livestreaming, you essentially need media source extensions; that basically means that javascript is responsible for downloading video parts and individually feeds them to the browser, hopefully just in time so the video doesn't stutter. with MSE, javascript can get those parts in any way. this has to go via fetch/xmlhttprequest, so it needs to either be allowed by the cross-origin policy or CORS
so without CORS but assuming the site was built like it is now, twitch's video player would only be able to fetch from https://twitch.tv/*. not even subdomains would be allowed. they'd be forced to do one of three things:
- keep using flash, which had CORS before CORS existed (via
crossdomain.xml files), and hope browsers would keep flash forever because of this
- set up some kind of massive CDN that handles ALL things twitch; the website, the api used for all kinds of stuff, the gigantic video parts, the chat, nearly everything, all on
https://twitch.tv. they could probably split out payments to a separate subdomain which would be one massive headache lifted, just send people to payments.twitch.tv when they have to put in their credit card info (i think they do this even now?)
...and 3: because twitch is in control of their full stack, they could use iframes, which you can embed from somewhere else and then follow their own policies based on where they are loaded from. (iframes were a very bad idea, but well, it'd seriously break the web if removed now. instead, webmasters can block it nowadays and that's common security advice. it's even in the thing i copied from somewhere for my own perpetually unfinished website)
anyway, that would mean they load the video player itself in an iframe loaded from for example https://newyork1.twitchvideocdn.example/examplestreamer and the chat in another. the iframe would be in charge of playing the video and would only be able to load from https://newyork1.twitchvideocdn.example/* but that's ok because the video HLS fragments would also live there. likewise, chat would be loaded from https://newyork1.twitchchat.example/examplestreamer or whatever, and that server would have to handle all the stuff. if you wanted a chat command that plays confetti on the client side, things would get very annoying quickly, but it'd be... doable