CORS issues are the bane of frontend engineers.
In Val Town, if you don't customize any CORS headers, we add these defaults:
Access-Control-Allow-Origin: "*"
Access-Control-Allow-Methods: "GET,HEAD,PUT,PATCH,POST,DELETE"
You can override them if you wish to disallow CORS.
This val is a client-side-rendered React app that makes requests to @stevekrouse/cors_example_backend. The backend is in a different val because CORS applies to requests on different domains. The backend has examples of the default permissive CORS behavior and disabled CORS.