Same-Origin Policy
Name the scheme, host, and port that form a URL's origin, decide whether two pages are same-origin, and predict whether a script can read a cross-origin response or only send the request.
CORS & Preflight
Read an OPTIONS preflight exchange and name what each Access-Control-* header does, predict whether a request is sent directly or preflighted from its method and content type, and fix a wildcard origin that breaks the moment credentials ride along.
Cookies & SameSite
Predict whether a stored cookie rides a cross-site request from its SameSite value, tell the site boundary apart from the origin boundary that blocks a cross-origin read, and assemble the flags a login session versus a third-party embed each needs.
Mixed Content & Secure Contexts
Sort each http subresource an https page loads into upgraded or blocked by whether it can modify the page, predict when an upgrade silently drops a resource, and decide which pages are secure contexts that expose powerful APIs.
Service Workers as Network Layer
Trace a request as it stops at the worker's `fetch` handler, predict which response comes back (the network, a hand-filled cache, or a JavaScript string), and tell the worker's Cache Storage apart from the HTTP cache it does not obey.