CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which websites are allowed to make HTTP requests to a server on a different domain, preventing unauthorized cross-origin data access.
Browsers enforce a security policy called the Same-Origin Policy: JavaScript on one domain cannot make requests to a different domain without explicit permission. CORS is the mechanism that grants this permission.
When your form at yoursite.com sends an AJAX request to formslist.com/f/abc123, the browser first checks whether FormsList's server allows requests from yoursite.com. It does this by looking at the Access-Control-Allow-Origin response header. If the header includes yoursite.com (or the wildcard *), the request proceeds. If not, the browser blocks it.
For simple form submissions (traditional HTML form posts), CORS doesn't apply — the browser navigates to the action URL directly. CORS only affects JavaScript-initiated requests (AJAX/Fetch API), which is why it matters for modern single-page applications.
FormsList endpoints include permissive CORS headers (Access-Control-Allow-Origin: *) so that AJAX form submissions work from any domain without additional configuration. If you're building your own form endpoint, you need to set these headers yourself, typically by configuring your web server or adding middleware in your application code.
For AJAX POST requests with JSON content type, the browser sends an OPTIONS request first (preflight) to check CORS permissions. The server must respond with appropriate Access-Control-Allow-* headers.
Setting Access-Control-Allow-Origin: * allows any website to make requests to your endpoint. This is appropriate for public form endpoints but not for sensitive APIs.
Setting Access-Control-Allow-Origin to a specific domain (https://yoursite.com) restricts access to only that domain. Multiple origins require server-side logic to check the request origin.
Set up your form backend in under a minute. No server required, no complex configuration — just a simple endpoint for your forms.