The whole point of Cross-origin-resource sharing (CORS) is to allow “cross-domain requests” which are disabled by default by the browsers same-origin security policy, if you only wanted to allow same-origin requests you wouldn’t need to register CORS at all - that’s the browsers default policy.
I don’t understand exactly what you’re asking, are you asking about something other than same origin policy? Maybe like Same Site Cookies? or something else?
Same origin is the default, you can only be unsafe by enabling CORS when you don’t want it, you literally have to do nothing. I’m not sure where the confusion is? no-one has asked about how to enable the default same origin security policy - it’s always about how to enable CORS to enable their cross-domain requests from working.
I am trying to say that devs who don’t know that ‘Same Origin Policy’ is the default, and therefore it requires no headers to be sent, and therefore they don’t need to configure the CorsFeature at all. Is just a useful bit of information they could/should read in the docs. - thats all.
Devs who know what Same Origin Policy means will know that’s browsers default behavior, I mean the existence of the term is because of the restriction browsers added and the reason why CORS even exists. Anyone wanting to enable CORS wants to know how they can enable it, not how they can restrict the very thing they want to enable.
Docs should not waste real-estate on things no-one’s looking for and why I’m confused about what exactly is being asked.