Cross-Origin Resource Sharing (CORS) - HTTP | MDN
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a “preflight” request to the s…

Notes

Same Origin Policy prevents one origin from accessing resources on a different origin, this includes JavaScript & HTTP Requests.

Requests made by http://a.com/latest

URLResultReason
https://a.com/myInfoAllowedSame Origin
**http:**//a.com/users.jsonBlockedDifferent Schema and Port
https://**api**.a.com/infoBlockedDifferent Domain
https://a.com**:8443**/fileBlockedDifferent port
https://**b**.com/analyticsBlockedDifferent Domain

Please note images and iframes are always allowed.


CORS headers start with “Access-Control”

Access-Control-Allow-Origin
Describes which origin can access the response. It's the most improtant, because it's the whitelist of what origins can access resources at this host.
[[ *, an origin, or “null” ]] is open for that request's host.

Access-Control-Allow-Credentials
Indicates if the request can include credentials ← !!!!

Access-Control-Expose-Headers
Instructs the browser to expose certain headers to JavaScript.

Access-Control-Max-Age
Instructs the browser to cache the CORS configuration for X seconds.

Standard GET, HEAD, and POST requests don't require preflight requests.
Other request methods, requests with custom HTTP headers, or POST requests with non-standard content-types will require a preflight request.

Using the HTTP method OPTIONS for a request lets you know what methods are accepted.