You’re on the right track. 
It’s WebCoRE (or SmartThings in this case since they host it) that would need to add the CORS header to the response though.
Internally, we’ve also discussed adding an option to the special REST API Hyperlink syntax that would allow you to route the request through our servers which is another approach to work around CORS errors.