CORS works with HTTP headers sent by servers at the top level navigation. it is poorly understood by developers and often badly implemented. A browser may block requests going to a.com if they are initiated by b.com or any origin not whitelisted by the
Dappy browser sets a
Origin header on each requests coming from a tab, the server can easily know which website the client was visiting when the request was sent. Restricted actions that require an authentication must be authorized through cookies, headers or the body of the request itself. The server does not need CORS for any of these 3 checks.
If you think this is a mistake or have comments, please reach out to us on discord or by email.