CORS or Cross-Origin Resource Sharing is a browser security feature that controls how a web page from one origin (domain + protocol + port) can make requests to a different origin.
Knowledge in Same Site and Same Origin is required for this page.
Why do we need CORS?
By default, browsers block cross-origin JavaScript requests for security reasons (called the same-origin policy). This prevents a malicious site from reading sensitive data from another site via JavaScript.
For example, without restrictions:
fetch('https://bank.com/account')could be run from a malicious site (https://evil.com) and steal your data.
CORS is a server-side policy that tells the browser It’s okay to let this other origin access my resources. It uses HTTP headers to grant or deny permission.
CORS applies to
fetch()orXMLHttpRequestcalls to other origins- Fonts, images, scripts, videos loaded cross-origin (to control who can access the response)
- Web APIs like
Canvas,WebGL, etc.
CORS does not apply to
- HTML
<form>submissions - Server-to-server requests
- Redirects or links (
<a href="...">)
Back to parent page: Web Security