Summary
The Same-Origin Policy restricts cross-origin browser access. CORS is the controlled opt-in mechanism that allows selected cross-origin requests.
Interview Points
- Origin is scheme, host, and port.
- SOP protects users by preventing arbitrary sites from reading sensitive responses.
- CORS is enforced by browsers, not by backend-to-backend calls.
- Preflight requests check whether non-simple requests are allowed.
- CORS is not authentication or authorization.
2-3 Minute Interview Script
“The Same-Origin Policy is a browser security boundary. It prevents a page from one origin from freely reading data from another origin. An origin is scheme, host, and port.
CORS is the mechanism that lets a server opt into specific cross-origin access by returning headers like
Access-Control-Allow-Origin. For non-simple requests, the browser sends a preflightOPTIONSrequest to check whether the real request is allowed.The key interview point is that CORS is enforced by browsers. It does not stop server-to-server requests, and it is not a replacement for authentication or authorization.
In a production design, I would allow only trusted origins, handle credentials carefully, avoid wildcard origins with credentials, and keep API authorization independent of CORS.”
Follow-Ups
- What triggers a preflight request?
- Why is
*dangerous with credentials?