Origin is automatically attached to every request to identify the origin of the call
Header "Access-Control-Allow-Origin" and "Access-Control-Allow-Methods" is attached to every response so the browser can crosscheck if the response is valid.
For Example, for an Apache server
<IfModule mod_headers.c> Header always set Access-Control-Allow-Origin "*" Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS" Header always set Access-Control-Allow-Headers "Content-Type, Authorization" </IfModule>
Solve blocked by CORS policy
Server Internal Error can falsely trigger the CORS error in a JS API fetch. Server code may stop executing due to any interruption and proper headers are failed to inject. Which causes a false alarm. Fixing bugs in the server code will likely solve the issue.