Cross‐Origin Resource Sharing (CORS), which has been proposed by the Web Applications Working Group, provides a way for web servers to support cross‐site access controls, which enable secure cross-site data transfers.

The Cross‐Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser.

Additionally, for HTTP request methods that can cause side‐effects on user data (in particular, for HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers pre‐flight the request, soliciting supported methods from the server with an HTTP OPTIONS request header, and then, upon “approval” from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether “credentials” (including Cookies and HTTP Authentication data) should be sent with requests.

The CORS‐specific headers that can be used in cross‐origin and pre‐flight requests can be found in the Syntax section of the W3C Working Draft for CORS.

In order to support cross‐domain request, the Call Setup API has supported CORS since version 1.0.