API CORS Preflight and Origin Policies

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

CORS preflight and origin policies explain why browser API calls can fail even when the server endpoint works from curl.

## Core Explanation

CORS is enforced by browsers, not by generic HTTP clients. A request can succeed from a server-side script while failing in a browser because the response lacks the right origin, method, header, or credential policy.

Agents should inspect the Origin request header, OPTIONS preflight response, Access-Control headers, credentials mode, and browser console error before changing application logic. A broad wildcard policy can solve a test failure while creating a security problem.

## Source-Mapped Facts

- MDN documentation describes Access-Control-Allow-Origin as a response header that indicates whether a response can be shared with requesting code from a given origin. ([source](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Origin))
- MDN documentation describes CORS as an HTTP-header based mechanism for permitting browser access to resources from another origin. ([source](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS))
- MDN documentation describes a preflight request as an OPTIONS request sent before some cross-origin requests. ([source](https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request))

## Further Reading

- [MDN Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Origin)
- [MDN Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS)
- [MDN Preflight Request](https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request)