Cross-origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a web app running at one origin have permission to access selected reosurces from a server at a different origin.
- Access-Control-Allow-Origin: http://foo.example
- Access-Control-Allow-Methods: POST, GET, OPTIONS
- Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
- Access-Control-Max-Age: 86400
Content-Security-Policy (CSP) response header allows website admin to control resources the user agent is allowed to load for a given page.
- connect-src
- font-src
- img-src
- media-src
- frame-src (controls src in iframe or frame)
- manifest-src
CORS allows a site A to give permission to site B to read (potentially private) data from site A (using the visitor's browser and credentials).
CSP allows a site to prevent itself from loading (potentially malicious) content from unexpected sources (e.g. as a defence against XSS).