I don't understand what is going on here. I've got two IIS6 Sites running on the same server. One is www.example1.com and the other is www.example2.com
When looking at the HTTP Headers in Google Chrome, I do not see any Access-Control-Allow-* Headers. Yet, when I request a resource from either domain, the request succeeds.
Can someone explain to me why the request succeeds?
If you’re not sending the request from frontend JavaScript code in a web application, then the request will succeed. The browser gets the response regardless—but the browser is the sole enforcement point for restrictions on cross-origin requests. If a response doesn’t have an Access-Control-Allow-Origin response header, the browser is the point at which it will be blocked—but the browser only restricts the ability of XHR/Fetch JavaScript code to access the response. You will otherwise still be able to see the response in browser devtools and if you load the request URL in the browser address bar, or use the request URL as the href or src value in your HTML source.
