Summary

The Same-Origin Policy restricts cross-origin browser access. CORS is the controlled opt-in mechanism that allows selected cross-origin requests.

Interview Points

  • Origin is scheme, host, and port.
  • SOP protects users by preventing arbitrary sites from reading sensitive responses.
  • CORS is enforced by browsers, not by backend-to-backend calls.
  • Preflight requests check whether non-simple requests are allowed.
  • CORS is not authentication or authorization.

2-3 Minute Interview Script

“The Same-Origin Policy is a browser security boundary. It prevents a page from one origin from freely reading data from another origin. An origin is scheme, host, and port.

CORS is the mechanism that lets a server opt into specific cross-origin access by returning headers like Access-Control-Allow-Origin. For non-simple requests, the browser sends a preflight OPTIONS request to check whether the real request is allowed.

The key interview point is that CORS is enforced by browsers. It does not stop server-to-server requests, and it is not a replacement for authentication or authorization.

In a production design, I would allow only trusted origins, handle credentials carefully, avoid wildcard origins with credentials, and keep API authorization independent of CORS.”

Follow-Ups

  • What triggers a preflight request?
  • Why is * dangerous with credentials?