Blog

Same-origin policy vs CORS: how they work together

The same-origin policy isolates sites; CORS selectively relaxes that isolation for APIs you trust.

Published: 2024-05-02Updated: 2025-01-201 min read

securitybrowsercors

What “origin” means

An origin combines scheme, host, and port. https://app.example.com and https://api.example.com are different origins even on the same registrable domain.

The browser applies separate storage, cookies, and fetch rules per origin to reduce cross-site leaks.

Where CORS fits

CORS does not replace authentication. It only declares which browser origins may read cross-origin responses.

For machine-to-machine traffic you still rely on TLS, keys, and network policies—CORS is not involved on the server-to-server path.

← Back to blog