CORS is a security mechanism whereby an HTTP/S request is blocked if it arrives from a different domain than the one where the application is hosted. More information can be found in the Microsoft documentation or on the Mozilla site for developers.
A browser prevents a web page from making requests to a domain other than the domain that serves that web page. A web page, SPA, or server-side web page can make HTTP requests to several backend APIs that are hosted in different origins.
We, therefore, understand that the CORS qualification, as it relates to safety, must be evaluated with caution.
The most common scenario is that of SPAs that are released on web servers with different web addresses than the web server hosting the minimal API: