CORS, the same-origin policy, and the long history of cross-origin trust
Traces the same-origin policy from Netscape 1995 to RFC 6454, then how CORS relaxes it through preflights and Access-Control headers, the misconfigurations that break it, and where the model stands in 2026.
· 21 min read