Theory
- When SOP is enforced, cross domain requests are still made (using fetch, XHR etc), but the response cannot be read.
- Images, iFrames can be loaded because it is not JavaScript.
- Non-standard POST requests require an OPTIONS preflight.
The Cross-origin resource sharing (CORS) specification was introduced to allow developers to relax the same-origin policies.