CORS isn't related to XSS. CORS actually isn't a security protection at all. It's a way for web apps to explicitly disable standard protections that browsers apply to enforce same origin policy.
You might be thinking of Content Security Policy (CSP).[0] That's the most effective protection I'm aware of for XSS, but it's not very widely used because so few JavaScript libraries are compatible with it.
Yeah, eval is the main culprit, but there's also Function, setTimeout, setInterval and friends.[0]
The other gotcha is that with a secure CSP policy, you can no longer do things like <button onclick="handleClick"> because that's inline JS, so that's kind of a bummer.
CORS isn't related to XSS. CORS actually isn't a security protection at all. It's a way for web apps to explicitly disable standard protections that browsers apply to enforce same origin policy.
You might be thinking of Content Security Policy (CSP).[0] That's the most effective protection I'm aware of for XSS, but it's not very widely used because so few JavaScript libraries are compatible with it.
[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP