CORS Interview and Review Prompts

Use these prompts to test whether a candidate or reviewer understands browser trust boundaries, not just header names.

1. What three values define an origin?
2. Why does https://app.example.com differ from http://app.example.com?
3. Why does Access-Control-Allow-Origin: * fail with credentialed requests?
4. Which request shapes trigger a preflight and why?
5. Why is CORS not a defense against CSRF by itself?
6. Why is OPTIONS handling often implemented at the edge or reverse-proxy layer?
7. What is the difference between “the browser may send the request” and “the browser may expose the response to JavaScript”?