So I know how the CORS header value on the server side is responsible for throttling of requests from unknown clients/clients not specified by "Access-Control-Allow-Origin" header in response headers. Let me take https://www.google.com in this case to make the question clear.
I have a mini server up and running on localhost:5500. When I trying making an XHR request (from a script) to google.com , it rightfully throws up the below CORS error:
Access to XMLHttpRequest at 'https://www.google.com/' from origin has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Upon inspecting one of the XHR requests in the network tab in dev tools, I can see that the "Access-Control-Allow-Origin" header is indeed missing. The only relatable response header is found was:
Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
Why doesn't this same issue occur when invoking the same request via cURL or Postman, to the extent that I tried passing the exact same headers that were getting passed in the XHR request of my script , to the cURL and Postman requests, but the latter methods returned a successful response.
What exactly is the difference between the two approaches?
