Is CORS considered bad practice?
CORS isn’t bad practice. It is supported on all major browsers, and more and more APIs are supporting it. In fact, if you have a public resource that is not behind a firewall, it is safe to put the Access-Control-Allow-Origin: *
header on the resource.
But there is some confusion over the role of CORS on a server. CORS should only dictate the cross-origin policy for a particular resource. In other words, the CORS headers are only meant to indicate whether requests from different origins are allowed. I think the confusion comes in because servers sometimes use CORS to dictate security policy as well. CORS is not security. If servers have resources that need to be protected from certain users, it is not safe to rely solely on the Origin header to enforce this. Your server needs some other mechanism for security (such as OAuth2 and CSRF protection).
No, CORS is not considered bad practice. It's the standard way to do cross domain AJAX calls (for browsers that support it). Bear in mind though that currently, depending on your exact requirements, there could be lots of pitfalls to make it work cross browser. For example if you want to be able to set cross domain cookies be prepared to suffer with Internet explorer.
So basically, if you can make CORS work for your needs, go ahead and use it.