What is CORS? A practical guide for web developers

By default, scripts on one origin cannot read responses from another origin. This protects cookies and tokens from being silently exfiltrated by arbitrary websites.

CORS is the mechanism that lets a server explicitly opt in to cross-origin access by sending specific HTTP response headers.

The browser compares the page origin with the URL you fetch. If they differ, access to the response body may be denied unless the API allows your origin.

Server-side code or a controlled proxy can call third-party APIs without CORS, because CORS is enforced in the browser—not in curl or backend jobs.