Resources like images, styles and scripts can be embeded from any other domain. But AJAX requests to other domains are limited due to the same origin policy.
CORS works by sending the Origin
header in the HTTP request, e.g., Origin: http://example.com
and setting the Access-Control-Allow-Origin
for the server.