Also known as: Cross-Origin Resource Sharing, CORS headers
Definition
CORS (Cross-Origin Resource Sharing) is the browser mechanism that controls which origins can call which API endpoints. The server declares allowed origins via Access-Control-Allow-Origin headers, and the browser blocks cross-origin requests that fail the check.
By default, browsers block JavaScript on https://attacker.com from reading responses to fetches against https://yourapi.com. CORS is the protocol that lets your server explicitly opt in: respond with Access-Control-Allow-Origin: https://yourapp.com and the browser allows the response through.
Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true is forbidden by the spec, but partial misconfigurations are common: allowing wildcard origins for endpoints that read authenticated session data effectively turns the cookie-credential boundary off. Always pin allowed origins to your known domains.
CORS is about JavaScript reading the response. CSRF is about the request happening at all with the user's cookies attached. The browser sends cookies to the target origin regardless of where the request originated. CORS does not block the request from happening; SameSite cookie attributes and CSRF tokens are the defenses for that side of the problem.