I have recently learned about Cross-Origin Resource Sharing (CORS) and I'm trying to understand exactly when CORS rejection occurs during a request.
My understanding is that CORS is enforced by the browser to prevent web applications from making requests to other domains. However, I am uncertain about when the browser decides to reject a CORS request. Does it happen before the request is made (during the preflight request) ? Or does it happen after the request is completed and response comes back from the server with the Access-Control-Allow-Origin header?
In MDN as I said in comments:
In CORS, a preflight request is sent with the OPTIONS method so that the server can respond if it is acceptable to send the request.
The server now can respond if it will accept a request under these circumstances.
More details about OPTION: MDN HTTP OPTIONS.
More info about CORS: MDN CORS