I want to share what I think is the canonical guidance on CORS in general:
https://mobile.twitter.com/jaffathecake/status/1222802740243566593
In my opinion, allowing cross origin access to your host is a massively socially conscious improvement to your origin. I for one would greatly appreciate it if more activitypub systems would allow CORS.
It’s important to me to think of activitypub not just as it’s own protocol, but as a part of the wider web. Allowing that web to be weaved among many hosts will be a healthy, cross-connecting thing for the web and for activitypub.