By

When I became a web app developer, I was confused by CORS(Cross-Origin Resource Sharing).
You get a CORS error when trying to access a server API from a web browser.

This error is not caused by the server blocking the request.
Instead,the server sends a CORS header, and the web browser blocks it if the server doesn’t allow cross-domain access.
However, if you access the same server API using Pyhton, it works just fine.

Why? Why does the web browser block it?

The Reason behind CORS:
Imagine you are logged into https://bank.com. The website’s frontend stores a cookie that acts as your authentication token. Every request you make to bank.com automatically inludes this cookie, allowing the server to identify you.

Now, suppose you open a malicious website in a new browser tab. That website might attempt to access bank.com using your authenticated cookie.
If bank.com has CORS restrictions, the web browser will block the request, keeping your money safe.
Otherwise, the malicious site could access your bank account, and you’d be in trouble.

Contents