Fetch Standard §CORSWHATWGMust KnowProduct

Cross-Origin Resource Sharing

State & Sessions·Web Hypertext Application Technology Working Group

WHY YOU NEED THIS

Every browser-side API call to a different origin hits CORS. Misconfigured CORS is a top source of dev frustration and security holes.

What It Defines

Defines how browsers permit or block cross-origin requests. Covers preflight requests (OPTIONS), Access-Control-Allow-Origin, Access-Control-Allow-Headers, Access-Control-Allow-Credentials, and simple vs preflighted requests.

Canonical (Normative)

Fetch Standard — CORS

Convenient (Practical)

MDN CORS OWASP CORS Cheat Sheet

corsbrowsersecurityapi

Standards Body

Web Hypertext Application Technology Working Group

Maintains the living standards for the web platform: HTML, DOM, Fetch, URL, Streams, and more. These are continuously updated living documents, not versioned snapshots.

Visit

Related Specs

WHATWG Fetch LSWHATWGMust Know

Fetch

Every fetch() call and XHR request is governed by this spec. It also defines CORS behavior in detail.

ProductBrowser Platform

Details

RFC 9110RFCMust Know

HTTP Semantics

This is the core contract of every web API, browser request, and server response. You can't design or debug HTTP without knowing this.

ProductHTTP

Details

W3C CSP Level 3W3CMust Know

CSP

A well-configured CSP is the strongest mitigation against XSS. Required by modern security audits and browser hardening.

ProductState & Sessions

Details