To allow access means to grant access to every client in a web application. It is a consequence of the way HTTP works, and is generally required for operation. One consequence is that the JavaScript that runs from a foreign site may be able to access the resources on our server. This usually is not what we want.

One possible attack is called CSRF, or Cross-Site Request Forgery. In its simplest form, imagine a malicious site posing as your banking site, even imitating the layout. After you have entered your credentials, the malicious site can save them for later mayhem, and, in the meantime log you into your real banking site. You will not even notice! Spring Security offers help to avoid CSRF attacks, and we will see how to do this later.

Browsers implement the Same-Origin-Policy (SOP) to avoid many of these problems. It is, however, a quite rigid policy that may prohibit the legitimate sharing of resources between servers that you control yourself. Cross-Origin Resource Sharing (CORS) is a way to circumvent the SOP for your purposes. We will work with Spring Security's support to configure CORS later on.

As so often with things relating to HTTP and the web, the Mozilla Developer Network is an excellent resource to get more information about SOP, CORS, and CRSF: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy.