Understanding Same-Origin Policy and CORS: Fundamentals, Request Flow, and Security Implications

In modern web development, browsers enforce a security mechanism called the Same‑Origin Policy (SOP) that restricts how documents and scripts from one origin can interact with resources from another origin. Two URLs are considered same‑origin when they share the same protocol, host, and port.

What is Same‑Origin Policy

The SOP limits three main aspects:

DOM access: scripts cannot read or manipulate the DOM of a page loaded from a different origin.

Web data: XMLHttpRequest and Fetch calls are blocked unless the target shares the same origin.

Network communication: browsers prevent cross‑origin network responses from being delivered to the rendering process.

Because unrestricted cross‑origin requests can lead to attacks such as XSS, CSRF, SQL injection, and others, browsers enforce SOP to protect user data.

CORS (Cross‑Origin Resource Sharing)

CORS is a protocol that allows controlled cross‑origin requests. When a browser wants to fetch a resource from a different origin, it first sends a preflight OPTIONS request (for non‑simple requests) to determine whether the server permits the actual request.

A simple request uses only GET, HEAD, or POST methods, limited standard headers, and no custom streams; it does not trigger a preflight.

For a preflight request, the browser includes headers such as Access-Control-Request-Method and Access-Control-Request-Headers . The server responds with Access-Control-Allow-Origin , Access-Control-Allow-Methods , Access-Control-Allow-Headers , and optionally Access-Control-Max-Age to indicate how long the permission is cached.

Credentials and Wildcards

When credentials (cookies, HTTP authentication) are involved, the server must not use the wildcard "*" for Access-Control-Allow-Origin ; it must echo back the specific requesting origin. Likewise, Access-Control-Allow-Headers and Access-Control-Allow-Methods should list explicit values rather than a wildcard to avoid security risks.

Summary

The preflight request is an automatic OPTIONS request issued by browsers during CORS to verify that the server consents to the cross‑origin operation. By correctly configuring CORS headers, developers can safely enable cross‑origin communication while protecting users from malicious exploitation.