NovaBlockNovaBlock
All terms

Cross-Origin (CORS)

Also known as: cors, same-origin policy

The browser rule that stops scripts on one site from reading data from another site without permission.

Updated 10 February 2026

The same-origin policy is the foundation of web security: JavaScript on site A can't read responses from site B unless site B opts in via CORS headers. It's what keeps a random page from silently reading your webmail inbox.

CORS is often blamed for developer friction, but it's the reason the web can be both open and safe. Loosening it (Access-Control-Allow-Origin: *) on an authenticated endpoint is a common cause of data leaks.

Related terms