CORS has nothing to do with (dis)allowing 'mutating requests from random origins' on the server unless I'm misunderstanding what you mean. The origin is a browser concept.

Not sure why you're being downvoted. CORS is only a browser concept. If you fire off requests from something that isn't a browser (e.g. curl or a python script or whatever) CORS won't do anything. Servers need to validate the origin of requests properly if that's a problem.