Who enforces the Same-Origin Policy and CORS?
The browser enforces both. The server does not enforce them; it only returns headers. The browser reads those headers and decides whether to allow the response to be read by your script.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in CORS vs Same-Origin Policy: What's the Difference?
The Same-Origin Policy is the browser's default rule blocking cross-origin access. CORS is a mechanism that relaxes this policy in a controlled way, letting servers explicitly allow certain origins to access their resources.
No. The Same-Origin Policy is the restriction; CORS is the controlled exception to it. Without CORS, the Same-Origin Policy would block all cross-origin requests. CORS lets servers opt in to allowing specific origins.
Because the Same-Origin Policy is the restriction, and CORS is the relaxation that lets servers opt in to cross-origin access. Understanding this helps you realize the fix for CORS issues is always on the server side, not in your frontend code.
Still have questions?
Browse all our FAQs or reach out to our support team
