Great and clear guide to this thorny topic. However, even this article gets a little confused in its wording at one point:
> In such cases, we want our API to set the Access-Control-Allow-Origin header to our website’s URL. That will make sure browsers never send requests to our API from other pages.
> If users or other websites try to cram data in our analytics API, the Access-Control-Allow-Origin headers set on the resources of our API won’t let the request to go through.
The ACAO header only performs a controlled relaxation of cross-origin restrictions. It is the browser that is ensuring that by default other pages can't send requests to the API.
Just a nitpick as I feel the rest of the article illustrates this well.
> In such cases, we want our API to set the Access-Control-Allow-Origin header to our website’s URL. That will make sure browsers never send requests to our API from other pages.
> If users or other websites try to cram data in our analytics API, the Access-Control-Allow-Origin headers set on the resources of our API won’t let the request to go through.
The ACAO header only performs a controlled relaxation of cross-origin restrictions. It is the browser that is ensuring that by default other pages can't send requests to the API. Just a nitpick as I feel the rest of the article illustrates this well.