CORS allows a browser and a server to interact and determine whether or not to allow specific cross-origin requests (such as XMLHttpRequests calls made from JavaScript on a web page to other domains).

In our scenario, we would like the product service to be accessed only by internal developers who are in the ShipAnyWhere domain. I add the following CORS policy to all the operations of the product service as shown:

When you test the API from POST, you will receive 200. But the response JSON will not be received as the inbound policy blocks the request:

When you click on the trace location, you will see that the request is being terminated as the origin was different from the http://ShipAnyWhere.com domain: