首先，跨域请求分为两种，一种是简单请求，即get请求和post请求（不带多余的请求头），这种情况下，浏览器会直接请求，在有允许跨域的头的情况下，予以显示。（这里并不是说没有跨域头服务器就不返回数据了，数据是照常返回的，但是浏览器拦截了返回数据。）另一种呢是复杂请求，即非get或post请求，或者是有了自定义头的请求。这种情况下，浏览器会首先发送一个options请求（预请求），来确是否允许跨域。在服务器返回的跨域条件都允许之后，浏览器才会发送正式请求。

Applying a CORS restriction is a security feature defined by a server and implemented by a browser.

Prior to the adoption of the Cross-Origin Resource Sharing (CORS) standard, JSONP was the only option to get a JSON response from a server of a different origin.

This is a security measure implemented in all browsers that stops you from using an API in a potentially unsolicited way and most APIs, including the iTunes API, are protected by it.

Why is CORS important? Currently, client-side scripts (e.g., JavaScript) are prevented from accessing much of the Web of Linked Data due to "same origin" restrictions implemented in all major Web browsers. While enabling such access is important for all data, it is especially important for Linked Open Data and related services; without this, our data simply is not open to all clients. If you have public data which doesn't use require cookie or session based authentication to see, then please consider opening it up for universal JavaScript/browser access. For CORS access to anything other than simple, non auth protected resources

The same-origin policy fights one of the most common cyber attacks out there: cross-site request forgery. In this maneuver, a malicious website attempts to take advantage of the browser’s cookie storage system.

utilizing the fact that the same origin policy is not enforced within server-to-server communication

if you try to load the HTML file locally (i.e. with a file:// URL), you'll run into CORS errors due to JavaScript module security requirements. You need to do your testing through a server.

Without same-origin policy, that hacker website could make authenticated malicious AJAX calls to https://examplebank.com/api to POST /withdraw even though the hacker website doesn’t have direct access to the bank’s cookies.

Note that adding the X-Requested-With header makes the request "unsafe" (as defined by CORS), and will trigger a preflight request, which may not be desirable.