Skip to content
Latchkey

What Is CORS? Cross-Origin Browser Security

CORS, cross-origin resource sharing, is a browser security mechanism that controls whether a web page from one origin is allowed to call an API on a different origin.

Browsers block a page from freely reading responses from a different origin unless the server opts in with CORS headers. This protects users, but it surprises developers when a frontend cannot reach its API after a deploy. CORS is enforced by the browser, so it shows up in frontend and end-to-end tests, not in server-to-server CI calls.

What counts as cross-origin

An origin is the combination of scheme, host, and port. A request from app.example.com to api.example.com is cross-origin because the hosts differ, even under the same parent domain.

The server opts in

The server grants access with response headers like Access-Control-Allow-Origin. Without the right header, the browser blocks the page from reading the response even if the server replied successfully.

Preflight requests

  • For non-simple requests the browser sends an OPTIONS preflight.
  • The server must answer it with the allowed methods and headers.
  • A failed preflight blocks the real request entirely.

Why it surprises after deploys

A frontend deployed to a new domain may call an API that does not list that origin yet, so requests are blocked. Updating the API CORS config to include the new origin fixes it.

CORS in end-to-end tests

Browser-based tests in CI exercise real CORS behavior. A preflight failure or missing allow-origin header appears as blocked network requests in the test run, mirroring what users would hit.

Configuration, not a blip

A CORS failure is deterministic: the same missing header blocks every request until fixed. Latchkey runners retry genuine transient network failures, but a CORS misconfiguration is a config fix on the API, not something a retry resolves.

Key takeaways

  • CORS is a browser rule governing cross-origin API access, enforced client-side.
  • The server must send allow-origin headers and answer preflight requests.
  • A CORS failure is deterministic config, not a transient network blip.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →