Downsides of 'Access-Control-Allow-Origin: *'?

You might not want to use a wildcard when e.g.:

1. Your web and let’s say its AJAX backend API are running on different domains, or just on different ports and you do not want to expose backend API to whole Internet, then you do not send *. For example your web is on http://www.example.com and backend API on http://api.example.com, then the API would respond with Access-Control-Allow-Origin: http://www.example.com.
2. If the API wants to request cookies from client it must not send Access-Control-Allow-Origin: *, but its value must be the value of the origin from the actual request.

In my opinion, is that you could have other websites consuming your API without your explicit permission.Imagine you have an e-commerce, another website could do all the transactions using their own look and feel but backed by you, for you, in the end, it is good because you will get the money in the end but your brand will lose its "recognition".Another problem could be if this website would change the sent payload to your backend doing things like changing the delivery address and other things.The idea behind is just to not authorize unknown websites to consume your API and show its result to users.

You could use the hosts file to map 127.0.0.1 to your domain name, "dev.mydomain.com", as you do not like to use Access-Control-Allow-Origin: *.