Answer
Same-origin is a browser safety rule; CORS is a server permission system. • Same-origin blocks many reads between different origins. • CORS headers can allow selected outside origins. • Choose the option whose defined semantics and behavior match the task.
💡 Simple Example
<p>An API can send `Access-Control-Allow-Origin: https://shop.example`.</p>
⚡ Quick Revision
Same-origin blocks by default; CORS can safely allow selected access.