You are correct. It's just an intro showing a request that works followed by one that fails. They seem similar, but are being affected by the same-origin policy.
api.website.com has to be returning Access-Control-Allow-Origin: https://www.mywebsite.com since the second example denies the request coming from anotherdomain.com.
Sorry if I'm missing something... But in your very first example:
And it goes through fine... How come this is not a cross origin request? It's a different domain and subdomain isn't it?
You are correct. It's just an intro showing a request that works followed by one that fails. They seem similar, but are being affected by the same-origin policy.
api.website.com has to be returning
Access-Control-Allow-Origin: https://www.mywebsite.comsince the second example denies the request coming from anotherdomain.com.I believe that's a typo. Should both be mywebsite.com, otherwise it's a cross-origin request