Understand the browser CORS flow
CORS is a browser response-sharing protocol layered on HTTP, not proof that the network request failed.
- cors
- browsers
- origins
CORS controls browser response sharing
The same-origin policy limits how a document or script interacts with another origin. CORS lets a server opt into sharing selected responses with a requesting origin. It does not authenticate the caller, protect an endpoint from non-browser clients, or replace authorization.
GET /profile HTTP/1.1
Host: api.example.invalid
Origin: https://app.example.invalid
Expected result: the request identifies the caller’s origin. The server’s
response fields determine whether a browser can expose the response to that
script; the Origin field is not permission by itself.
Some requests proceed without preflight
Fetch defines CORS-safelisted methods and request fields. A cross-origin request that stays within those constraints can be sent directly, followed by the CORS check on the response. “Simple request” is common shorthand, not a different HTTP method or a bypass of server-side security.
The response still needs a compatible Access-Control-Allow-Origin value. A
server can process the request and return 200, yet the browser can make the
response unavailable to page JavaScript when the check fails.
Preflight asks permission for the intended request
For a non-safelisted method, field, or certain Fetch conditions, the browser first
sends OPTIONS with Origin, Access-Control-Request-Method, and possibly
Access-Control-Request-Headers. A successful preflight response names the
allowed origin, method, and fields. Only then can the actual request proceed.
Preflight failures are diagnosed on the OPTIONS exchange, not by repeatedly
changing the actual request. Redirects, authentication challenges, missing fields,
and mismatched values can all affect the result.
Credentials narrow the valid response
Cookies and HTTP authentication are credentials. Script must request the appropriate credentials mode, and the server must opt into credentialed sharing. The wildcard origin is not valid for a credentialed CORS response; the server returns a matching explicit origin and allows credentials.
This CORS permission does not create or expand cookie scope. A cookie can still be withheld by Domain, Path, Secure, SameSite, expiry, or browser privacy policy.
Read the browser error with the network record
Browser consoles intentionally provide limited CORS detail to script. Use the network panel and server logs to distinguish DNS/TLS failure, an HTTP error, a failed preflight, a successful response that failed the sharing check, and an application error after a readable response.
