Cross-Origin Resource Sharing (CORS)
A browser security mechanism that controls how web pages from one origin (domain) can request resources from a different origin, using HTTP headers to define which cross-origin requests are permitted.
Browsers enforce the same-origin policy by default, blocking JavaScript from making requests to a different domain. CORS relaxes this restriction in a controlled way. The server responds with headers like Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers to indicate which cross-origin requests it accepts.
For certain request types (non-simple requests), the browser sends a preflight OPTIONS request first to check permissions. CORS issues are a frequent source of bugs in web applications that rely on APIs hosted on different subdomains or external services.
Why It Matters for QA Teams
CORS errors are among the most common and confusing issues in web development. QA teams encounter them frequently when testing API integrations, CDN-hosted assets, or microservice architectures across different domains.
Example
The front end at app.example.com makes an API call to api.example.com/users. In the test environment it works because both are on localhost, but in staging it fails with a CORS error because the API server's Access-Control-Allow-Origin header does not include app.example.com. The fix: update the API's CORS configuration to include the staging and production front-end origins.