Search tools and guides ⌘K
Semicolony ELI5 · comic

CORS.

A bouncer who phones the other building first: “is this guest allowed to talk to you?” before a page calls another site.

  1. </> site A site B API give me data
    1

    A page from one site wants to call another site’s API — a different “origin.”

  2. Different building — hold on.
    site B
    2

    Your browser is the bouncer: same-origin walks in; cross-origin gets a second look.

  3. Is this guest on the list?
    site B is this allowed?
    3

    For risky calls, the browser phones ahead first (a “preflight”): is this allowed?

  4. Yes — they’re welcome.
    ALLOWED: site A others: no
    4

    The other site answers with its guest list — which origins it allows.

  5. </> site A site B
    5

    On the list? The real request goes through and the data comes back.

  6. Blocked by CORS policy.
    console blocked by CORS No allow-origin
    6

    Not on the list? The browser blocks it and logs a CORS error — even though the server was fine.

Why a page can’t freely call another site — and what a CORS error really means.
Semicolony semicolony.dev/eli5/cors/comic
← All ELI5 explainers