ASP.NET Monsters #40: Understanding and Enabling CORS in ASP.NET Core
There are many legitimate reasons why you'd want to allow your application to share data with other sites, but we don't want to do it in such a way that it allows wide-open access to your API or controller surface area. Often, we have a set of resources we want to share, with a set of origins that we trust to use our site appropriately.
Browsers today do not allow Cross Origin Resource Sharing by default, but because of the way the request-response works, you can enable it on the server where the resource is located. In this video, Monster James explains how to relax the default server policy and enable CORS for trusted origins.
For more information on the security vulnerabilites avoided by disabling CORS by default in the browser, please check out this entry in Wikipedia.