CORS Understanding Training

Format: Understand why browsers block certain requests.

Scenario: Your frontend is at https://myapp.com, your API is at https://api.myapp.com. A user reports "request blocked." Why?

Core concept: Browsers have a "Same-Origin Policy" -- by default, they block requests from one website to another domain. This is a security measure to prevent malicious websites from stealing your bank account data.

Exercise: Determine whether the following requests will be blocked by CORS:

1. myapp.com requests api.myapp.com -> ?
2. myapp.com requests myapp.com/api -> ?
3. myapp.com requests google.com/api -> ?
4. Server-side code requests any URL -> ?

Answer hint: Only browsers enforce CORS restrictions, servers do not. This is why API calls are typically proxied through the backend.