While all of the answers here are a really good explanation of what cors is but the direct answer to your question would be because of the following differences postman and browser.
Browser: Sends OPTIONS
call to check the server type and getting the headers before sending any new request to the API endpoint. Where it checks for Access-Control-Allow-Origin
. Taking this into account Access-Control-Allow-Origin
header just specifies which all CROSS ORIGINS are allowed, although by default browser will only allow the same origin.
Postman: Sends direct GET
, POST
, PUT
, DELETE
etc. request without checking what type of server is and getting the header Access-Control-Allow-Origin
by using OPTIONS
call to the server.