You only need Cross-Origin Resource Sharing (CORS) or JSONP if JavaScript which is client side and in a webpage needs to make an HTTP request to an HTTP server with a different origin (scheme, hostname and/or port).
(Exception: If it is a simple request and you do not need the response data to be available to the JS).
If the JavaScript error console complains about Origin foo is not allowed by Access-Control-Allow-Origin, you need CORS.
Same-Origin Policy (SOP) allows any JavaScript to make an HTTP request to the origin of the page into which it is loaded. The JavaScript could be hosted on a different origin, but it is still loaded into a page whose origin it makes the request to. The origin is determined by the URL of HTML document the script is loaded into, not the URL the script is loaded from.
So you don't need CORS if you're providing a client-side script to a customer that hits the customer's API. You do need CORS if that script is loaded on the customer's origin and makes a request to your API.
SOP/CORS does not apply to WebSocket, but browsers will send an origin
header that contains the hostname of the server that served the HTML with the JS that opened the WebSocket connection. A WebSocket server can then restrict access by checking origin
.