CORS is actually a method to access the resources📁 that are forbidden 🚫 to be used by the client🌐, by default. There exists a same-origin policy which ensures clients can only access the resources in their own domain. That means if I am a client with domain
xyz.com I can only access resources in the domain
xyz.com.If I try to access something from
lmn.com it will be blocked 🚫 by the browser.
The CORS mechanism in the browser helps us to use the resources available in a different domain. With all the CORS enabled ✅ request there is an
Origin header that gets added. In the response sent from the server 🗄️, there will be an
access-allowed-origins header which contains the details of the origins which can utilise that response. The browser will see 🔍 if the origin matches the allowed ones. If it is matched, the response can be consumed by the client. Else, it will throw the CORS error ⛔.
One point to understand is, CORS is only applicable to clients like browsers. It will not come into picture when the cURL or postman requests are being made.
The same-origin policy is beneficial 👌 because it prevents 🚫 malicious 🦠 websites and servers from accessing our data. As I told, if the resource is to be accessible, it should be either in the same origin or should be whitelisted 📄 by the server.