HTTP access control (CORS)¶
How does Access-Control-Allow-Origin header work?
Site B uses Access-Control-Allow-Origin to tell the browser that the content of this page is accessible to certain domains. By default, site B’s pages are not accessible to any other domain; using the ACAO header opens a door for cross-domain access by specific domains. Site B should serve its pages with: Access-Control-Allow-Origin: http://sitea.com
EDIT: What happens on the network level is actually slightly more complex than I suggest here; there is sometimes a data-less “preflight” request when using special headers or HTTP verbs other than GET and POST (e.g. PUT, DELETE). See my answer on Understanding XMLHttpRequest over CORS for more details.
For a “non-simple” HTTP verb like PUT or DELETE, the browser issues a “preflight request” using an OPTIONS request. In that case, the browser first checks to see if the domain and the verb are supported, by checking for Access-Control-Allow-Origin and Access-Control-Allow-Methods, respectively. (See the “Handling a Not-So-Simple Request” on the CORS page of HTML5 Rocks for more information.) The preflight response also lists permissible non-simple headers, included in Access-Control-Allow-Headers.