In web security, a *resource* is anything addressable by a URL that the browser can fetch — the thing on the other end of a request. A "cross-origin resource" is simply data living at a URL whose origin differs from the page requesting it. The term is the "R" in both URL (Uniform Resource **Locator**) and REST. ## What Counts as a Resource - An **HTTP endpoint / API response** (e.g. JSON from `/users`) - A **file** — image, script, stylesheet, font, video - A **document** — an HTML page (e.g. loaded in an iframe) - Origin-scoped browser state — **cookies, `localStorage`, the DOM** of another page ## Why It Matters for SOP / CORS The Same-Origin Policy doesn't restrict "websites" — it gates access to **resources**, judged per-resource by the origin of *that resource's* URL: - One page can pull resources from many origins at once (CDN image, third-party script, own-backend API). Each is evaluated separately. - You can **embed/use** a cross-origin resource (render the image, run the script) but not **read** its bytes via `fetch`/XHR unless its server opts in with CORS headers. So `Access-Control-Allow-Origin` declares which origin may *read* a resource — the response body the server decides whether to expose. --- *Source: RFC 9110 — HTTP Semantics §3.1 "Resources" (IETF, June 2022, https://www.rfc-editor.org/rfc/rfc9110#name-resources); RFC 3986 — URI Generic Syntax §1.1; MDN Web Docs — What is a URL (https://developer.mozilla.org/en-US/docs/Learn/Common_questions/Web_mechanics/What_is_a_URL).*