A resource makes a cross-origin HTTP request when it requests a resource from a different domain than the one which the first resource itself serves.
Step by step, how CORS works:
- A user opens a resource on a webpage which references to another domain.
- The user’s browser creates a connection to the second domain, adding an ‘Origin’ HTTP header to the request which contains the first domain.
- The second domain replies with an ‘Access-Control-Allow-Origin’ HTTP header which lists the domains allowed to make CORS requests. (* allows all domains to make requests.)
- If the first domain is allowed to make the request, the second domain responds with the requested content.