Configure a cross-origin fetch and see whether the browser sends it directly
(simple) or fires an OPTIONS preflight first — plus exactly why,
and the response headers the server must return.
CORS blocks reading a response in JS — not sending the request. These cross-origin mechanisms send requests freely; only some let your script read the result.