@estrom We actually do support CORS requests when using https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/, as your requests will go through api.atlassian.com were token based authentication is the only thing we allow.
For further explanation: The problem why we don’t support CORS directly on your site host/domain is that we accept session based authentication on there, which would then allow any site to make random, authenticated requests to your site.
The alternative is to proxy your requests through your own backend, which is @sfbehnke was referring to.
Hope this makes sense. Let me know if you have any other questions please.