When an HTTP request is made the request includes an Origin header that indicates the domain of the client code
The server will consider the requests Origin and either allow or disallow the request
If the server allows the request then it will respond with the requested resource and an Access-Control-Allow-Origin header in the response
If the Access-Control-Allow-Origin header matches the Origin header then the browser will allow the request