Description
https://bugzilla.mozilla.org/show_bug.cgi?id=1039678 has evidence of users doing automated testing in Chrome with --disable-web-security in order to allow running tests against sites that depend on external servers where the external server is sending CORS headers that allow the production instance of the site but disallow requests from the staging instance. These tests don't work cross browser because they are using a Chrome-only feature that people are wary of exposing even as a pref. But given that WebDriver already requires explicit opt-in and gives full control of the browser, it doesn't seem much more problematic than e.g. acceptInsecureCerts.
I suggest that the capability takes a specific list of domains for which CORS should be disabled and returns a list of domains for which it actually was disabled (so it would be conforming to return the empty list, although this might affect the ability to run tests). Alternatively it could just return a boolean indicating that we were able to disable CORS for those sites.