All of the API v3 endpoints on api.github.com support CORS (https://developer.github.com/v3/#cross-origin-resource-sharing): however, the github.com endpoints involved in creating an OAuth2 access token via the Web Flow, specifically https://github.com/login/oauth/access_token, don't support the OPTIONS method or CORS headers necessary to POST to it and get the access_token back.

This is a bug. Denying cross-origin access here doesn't help security, as it is most easily worked around by doing the POST requests through a potentially-insecure third-party open reverse proxy (as implemented using https://cors-anywhere.herokuapp.com/https://github.com/login/oauth/access_token on http://stuartpb.github.io/gistachio/demo.html).