CORS

Before going to understand CORS, let's 1st understand, what is the origin policy.

Same-origin policy

The Same-origin policy is a web standard which 

• permits the applications from the same domain to interact and exchange the data
• does not allow applications from different domains to interact and exchange the data

Definition of an origin

Two URLs have the same origin if the protocol, port (if specified), and host are the same for both.

The following table gives examples of origin comparisons with the URL http://store.company.com/dir/page.html:

URL	Outcome	Reason
http://store.company.com/dir2/other.html	Same-origin	Only the path differs
http://store.company.com/dir/inner/another.html	Same-origin	Only the path differs
https://store.company.com/page.html	Failure	Different protocol
http://store.company.com:81/dir/page.html	Failure	Different port (http:// is port 80 by default)
http://news.company.com/dir/page.html	Failure	Different host

How to allow cross-origin access?

Use CORS to allow cross-origin access. Cross-Origin Resource Sharing (CORS) enables web browsers to request resources from origins other than their own. For example, using CORS, JavaScript code at https://www.example.com could request a resource from https://www.salesforce.com. 

These Salesforce technologies support CORS.

• Analytics REST API

• Bulk API

• Connect REST API

• Salesforce IoT REST API

• Lightning Out

• REST API

• User Interface API

• Apex REST

In Salesforce, add the origin serving the code to a CORS allowlist. If a browser that supports CORS makes a request to an origin in the allowlist, Salesforce returns the origin in the Access-Control-Allow-Origin HTTP header along with any additional CORS HTTP headers. If the origin is not included in the allowlist, Salesforce returns HTTP status code 403.