← All terms More

define cors --plain-english

Illustration for "CORS" from the Non-Technical Technical Dictionary

CORS

TLDR:The most baffling error a new builder ever hits reads "blocked by CORS policy." It sounds like you did something illegal.

The most baffling error a new builder ever hits reads "blocked by CORS policy." It sounds like you did something illegal. You didn't. Your browser is just checking a guest list.

This one melts brains because the error seems to blame you, but the rule isn't even yours to break. Let me set the table with the frontend and the backend. Your app has a frontend, the part running in the browser (the dining room), and it wants something from a backend that lives somewhere else (another site's kitchen). Say your site, mysite.com, wants to pull data from another service at api.othersite.com.

The bouncer and the guest list. Every backend has a bouncer at the door holding a list of which other websites are allowed to talk to it from inside a browser. When your frontend tries to call api.othersite.com, your browser quietly walks up to that bouncer first and asks: "is mysite.com on your list?"

  • On the list, you're waved through and the data comes back.
  • Not on the list, "blocked by CORS policy." Turned away at the door.

Here's the twist that finally makes it click: the browser is the one enforcing this, and it's doing it to protect you. CORS stands for Cross-Origin Resource Sharing, which you can forget immediately. It's a safety rule baked into every browser. It exists so that a sketchy site you stumbled onto in one tab can't quietly fire requests at your bank in another tab, riding on the fact that you're already logged in there. The browser is acting as your bodyguard. It just phrases the rejection like you're the suspect.

The tell that proves it's CORS. Watch what happens when something other than a browser makes the exact same call. An agent calling that API, or a command you run in the terminal, gets the data with no CORS error at all. No browser in the middle, no bouncer, no guest list. CORS is purely a browser rule. So if your call works from the terminal but dies in your web app, it's almost always this.

And the fix usually isn't on your side. The other site has to add your site to its guest list, a small setting that says "mysite.com is allowed." If you own both ends, you add it yourself. If you don't own the other end, the standard move is to stop calling it straight from the browser and route the call through your own backend instead, server to server, where there's no bouncer at all.

CORS isn't punishing you. It's your browser asking the other site's bouncer whether you're on the list. The fix is getting added to the list, not yelling at the door.