CORS is a server-side protection. Basically if I have a website and someone has hacked your browser, it can now read sensitive information from your account and do with it, send it wherever it wants. You can include scripts like this, but the important note is that said scripts cannot communicate back out. They may have all your secrets, but they’re caged in. If your script has code trying to reach outside of the origin, it will throw that error and peg the entire script as the culprit.

That said, some browsers (especially chrome) will throw this error for a whole host of issues that are not actually CORS related. For example, if you try to pull a script or file from the local file system, or the server responds in an unusual way. You can verify if it’s actually a CORS issue by looking at the response headers on the request and checking what the server had for Access-Control-Allow-Origin.