Same-origin policy and CORS: who can read data from another server
The browser's same-origin policy (SOP) blocks JavaScript on one page from reading data from another domain - unless the server explicitly allows it through CORS. This post walks through how that server-side permission mechanism works, why you sometimes see a preflight OPTIONS request, and why you sometimes don't.
