Fetch: Cross-Origin Requests

If we send a fetch request to another web-site, it will probably fail. For instance, let’s try fetching http://example.com: Fetch fails, as expected. The core concept here is origin – a domain/port/protocol triplet. Cross-origin requests – those sent to another domain (even a subdomain) or protocol or port – require special headers from the remote side. That policy is called “CORS”: Cross-Origin Resource Sharing.

Why is CORS needed? A brief history

CORS exists to protect the internet from evil hackers. Seriously. Let’s make a very brief historical digression. For many years a script from one site could not access the content of another site. That simple, yet powerful rule was a foundation of the internet security. E.g. an evil script from website hacker.com could not access the user’s mailbox at website gmail.com. People felt safe. JavaScript also did not have any special methods to perform network requests at that time. It was a toy language to decorate a web page. But web developers demanded more power. A variety of tricks were invented to work around the limitation and make requests to other websites.

Using forms

One way to communicate with another server was to submit a