The Same Origin Policy (SOP) is the policy browsers implement to prevent vulnerabilities via Cross Site Scripting (XSS). In other words, the browser would not allow any site to make a request to any other site. It would prevent different origins from interacting with each other through such requests, like AJAX. This policy exists because it is too easy to inject a link to a javascript file that is on a different domain. This is a security risk - you really only want code that comes from the site you are on to execute and not just any code that is out there.<br>
<br>
The Cross Origin Resource Sharing (CORS) is one of the few techniques for relaxing the SOP. Because SOP is "on" by default, setting CORS at the server-side will allow a request to be sent to the server via an XMLHttpRequest even if the request was sent from a different domain. This becomes useful if your server was intended to serve requests from other domains (e.g. if you are providing an API).<br>
<br>
JSON with Padding is just a way to circumvent same-origin policy, when CORS is not an option. This is risky and a bad practice. Avoid using this.<br>
<br>
If you want to bypass that restriction when fetching the contents with fetch API or XMLHttpRequest in <a href="http://net-informations.com/js/default.htm">javascript</a>, you can use a proxy server so that it sets the header Access-Control-Allow-Origin to *.<br>
<br>
If you need to enable CORS on the server in case of localhost, you need to have the following on request header.<br>
<p>Access-Control-Allow-Origin: http://localhost:9999</p>
<br>