This is a little backwards, the goal of CORS isn't just to protect the _user_ it is also to protect the _third party website_.
All it takes for a website to opt-in to this is just adding a single header - it's possible for bar.com to allow the request from foo.com by opting into it.
This is a little backwards, the goal of CORS isn't just to protect the _user_ it is also to protect the _third party website_.
All it takes for a website to opt-in to this is just adding a single header - it's possible for bar.com to allow the request from foo.com by opting into it.