Hi Matias. Thank you. Sorry I do not have much info on CORS implementation. However, what I know is that we cannot use the above implementation in browser as we will be exposing AppId, AppSecret and also the token which is not secure. I mainly use the above implementation on server side (i.e. either in an API or say an Azure function). The server side functionality will do all the hard work and provide us the required data. Hope this helps.

SharePoint developer at Content+Cloud.

SharePoint developer at Content+Cloud.