What does Cross-origin Resource Sharing (CORS) govern?

• A. It controls whether web applications at one origin can request resources from another origin.
• B. It sets the default encoding for HTTP responses.
• C. It determines the maximum number of requests per minute.
• D. It governs how cookies are stored on the client.

Answer: (A)

Cross-origin Resource Sharing governs whether a web page loaded from one origin can request resources from a different origin. An origin is defined by the combination of scheme, host, and port, and the browser’s default same-origin policy restricts cross-origin requests. CORS provides a controlled way for servers to relax that policy by using headers like Access-Control-Allow-Origin. For simple requests, the response must include a matching Access-Control-Allow-Origin value for the browser to access the resource. For more complex requests, the browser may send a preflight OPTIONS request to ask for permission, and the server must respond with appropriate headers such as Access-Control-Allow-Methods and Access-Control-Allow-Headers. If credentials like cookies are involved, the server must explicitly permit them with Access-Control-Allow-Credentials and cannot use a wildcard origin. Without these headers, the browser blocks the cross-origin response.

That’s why this option is the best description: it accurately captures the purpose of CORS. The other topics—default encoding, request rate limits, and cookie storage—are separate concerns and not what CORS governs.