How high can you score? Take our 8 question PM technical skills mini-quiz →

Is Skiplevel Right for Me? Testimonials Training for Teams Free Technical Resources
Enroll Now

← See more on the Skiplevel Blog

What is Cross-Origin Resource Sharing (CORS) and how does it work?

May 31, 2023
cross-origin-request-cors-diagram

Want to become more technical in just 4 weeks? Find out how the Skiplevel program can help.

 

Cross-Origin Resource Sharing (CORS)

For security reasons, browsers by default restrict cross-origin (two different domains) HTTP requests initiated from scripts. This is what's known on the internet as the same-origin policy. CORS is a way to overcome the same-origin policy.

CORS (short for Cross-Origin Resource Sharing) is an important security measure on the internet that allows owners control over who can access their domain resources. CORS allows a server to set which origins (domain, scheme, or port) other than its own that they will allow loading access from.

For example, if a developer who owns https://domain-a.com tries to load content from another website https://domain-b.com, the browser will restrict this access since they're two different domains.

In order to allow access, domain-b would need to set their API response header to allow all access (denoted by *) or allow access to your domain specifically.

Examples:
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: https://domain-a.com


What you need to know about CORS as a PM:

Building software is a complex process and unforeseen complications often arise during the process. As a PM, you should be aware of as many of these possible complications as possible, including the same-origin policy that may delay time to implement.

If a feature your engineering team is working on depends on a third-party, the development team may need to get permission from that third-party in order to gain access to their resources. As you can imagine, complications would arise if the third-party says no, or takes a long time to update their system configuration to allow access from your domain.

Tip: Anytime an engineer refers to "same-origin" or "cross-domain concerns" or "access control", it's likely they're referring to CORS.

 

 

Sign up for Skiplevel’s newsletter to get more content like this straight to your inbox.

Learn more about the Skiplevel program ⟶

Connect with Irene on LinkedIn and Twitter and follow Skiplevel on LinkedIn, Twitter, and Instagram.

 

Become more technical without learning to code with the Skiplevel program.

The Skiplevel program is specially designed for the non-engineering professional to give you the strong technical foundation you need to feel more confident in your technical abilities in your day-to-day role and during interviews.

Learn more

Irene Yu

Founder, Skiplevel.co

Fullstack software engineer and tech mentor to product managers. Follow Irene on Medium!

Recent posts

Stop wasting dev time: PM's Guide to Preliminary Research on Third-Party Integrations
Apr 03, 2025
What it really takes to land a Product Leadership role now w/ Marc Baselga
product leadership product management
Apr 02, 2025
How AI is changing the PM role
ai product management product management responsibilities
Jan 30, 2025

← See more on the Skiplevel Blog

Get technical tips straight to your inbox

Subscribe to the Skiplevel newsletter to get technical tips and be the first to hear about special offers, program updates and events. See latest newsletter issue →

We hate SPAM. We will never sell your information, for any reason.