In a nutshell
Cross-Origin Resource Sharing (CORS) is an HTTP mechanism that allows origin servers to grant scripts from other origins access to resources that are otherwise restricted by the same-origin policy.
For example, the same-origin policy of browsers prevents a script from the origin https://foo.com to access the response from the
https://example.com. By configuring the server at
https://example.com to respond with certain CORS headers, we can allow scripts from
Only allow requests from a whitelist of origins.
Only allow a subset of HTTP methods.
Access-Control-Allow-Methods: POST, GET, OPTIONS
Only allow a subset of HTTP headers.
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
Determine how long the response to a pre-flight request can be cached by the client before requiring them to sending another preflight request.