Understand Cross-Origin Resource Sharing (CORS)
Adobe Experience Manager's Cross-Origin Resource Sharing (CORS) facilitates non-AEM web properties to make client-side calls to AEM, both authenticated and unauthenticated, to fetch content or directly interact with AEM.
A policy is selected by comparing the
1. Allowed Origin with the Origin request header
2. and Allowed Paths with the request path.
The first policy matching these values will be used. If none is found, any CORS request will be denied.
If no policy is configured at all, CORS requests will also not be answered as the handler will be disabled and thus effectively denied - as long as no other module of the server responds to CORS.