Are you doing headless or something weird with the domains?
CORS should not really be a problem if you use the same domain or configure it correctly.
Regarding your development config, it is as you write, it’s not suitable for production.
Instead you should add the domains you trust like the CORS documentation describes:
Again, you should not really be struggling with this unless your doing some weird cross domain stuff.