The fundamental distinction is between the kind of request triggered by a user navigating a web page and the kind triggered by a script. This distinction is rooted in web history, based on what early browsers considered safe and unsafe. All browsers since have tried to maintain backwards compatibility so as to not violate the expectations of servers relying on those early de facto standards.
What kind of requests are generated by users navigating the web? Basically, GET
requests and POST
requests triggered by a form submission. Browsers have always allowed such cross-origin requests, and so they assume that servers are designed to handle them. But that doesn't include, for example, POSTS
that have custom headers that could only be added by a script. (For a precise description of what makes a request safe or not, see the Fetch specification.)
See my answer here for more detail on how CORS uses preflight requests to maintain backwards compatibility with the Same Origin Policy.