Use this tag when you see a message in the browser devtools console about CORS (Cross-Origin Resource Sharing) — e.g., your browser logged an error about Access-Control-Allow-Origin, and you want to know how to eliminate the error. Also for other questions on the CORS protocol (defined in the Fetch Standard as a way to use response headers to tell browsers to relax the same-origin policy and allow cross-origin XHR/Fetch/Ajax requests).
Browsers implement the Same-Origin Policy to block frontend JavaScript code from accessing responses to cross-origin requests.
CORS (Cross-Origin Resource Sharing) is a way that servers can instruct browsers to relax the Same-Origin Policy and allow frontend code to access cross-origin responses.
Configuring a server for CORS never causes the server itself to block any requests; instead, a CORS-enabled server just sends back additional Access-Control-*
response headers, and the browser uses the values of those headers to determine whether it should allow frontend code running at a particular origin to access responses from that server.
See also:
- https://fetch.spec.whatwg.org/ (Fetch Living Standard, which defines the CORS protocol)
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
- https://en.wikipedia.org/wiki/Same-origin_policy
- 5xx or 4xx error with “No 'Access-Control-Allow-Origin' header is present”
- How to resolve 'preflight is invalid (redirect)' or 'redirect is not allowed for a preflight request'
- Response to CORS preflight has HTTP status code 405
- It seems the pre-flight for CORS doesn't make sense. Is it a joke?
- preflight