1. The website JS is served from a domain say "website.co" to the browser when you visit it.
2. If this JS tries to make a XHR to a domain that is NOT "website.co"(not the origin of JS) the browser first sends a preflight request (OPTIONS) asking for "guidance" from this second domain.
3. The Web Server on second domain responds with "a request" to block/allow XHR calls from JS served from certain domains.
4. The browser chooses (by default) to not make the GET/POST call if the JS domain(website.co/*) is not in "Access-Control-Allow-Origin" header.
There are other nuances but that is it really. Things to note
1. The browser enforces CORS. Not the web server. You can disable this enforcement with a flag in both Chrome and FireFox.
2. Since only browsers enforce CORS, other tools(cURL, PostMan) will successfully make GET POST request regardless CORS config on the webserver.
3. If you could intercept (using a proxy) and change headers in response to preflight request you can bypass CORS on browsers.