What is CORS?

CORS = Cross-Origin Resource Sharing

A browser security mechanism that controls whether a webpage on one origin can request resources from a different origin.

What is an Origin?

Origin = Protocol + Domain + Port

<https://example.com:443>
  ^          ^        ^
protocol   domain   port

Same origin — all three must match exactly.

Different origin examples:

• http://other.example.com — different subdomain
• https://example.com vs http://example.com — different protocol
• http://example.com:8080 — different port

How CORS Works (3 Steps)

Step 1 — Browser sends a preflight request

OPTIONS /
Host: www.other.com
Origin: <https://www.example.com>

Browser is asking: "Am I allowed to fetch from you?"

Step 2 — Server responds with CORS headers

Access-Control-Allow-Origin: <https://www.example.com>
Access-Control-Allow-Methods: GET, PUT, DELETE

Server says: "Yes, that origin is allowed."

Step 3 — Browser makes the actual request