CORS relaxes the rules about what requests the browser can make.

The server doesn't get to stop the browser making calls that it didn't want, so it's a browser security feature, to stop the browser sending cookies where it shouldn't, or more precisely, to only send authentication and other info where it should.

It relaxes the same origin policy.

Usually a browser will not load resources from another origin based on the HTML it receives. If the page is from example.com, it won't allow you to load a page from example.org.

That stops things like authentication and cookies etc from example.com being transmitted to example.org if someone hacks the webpage.

CORS allows the server to relax those rules so that it can say "You can load resources from me, or from these other servers."

So it can say "I'm example.com but you can load resources from example.org and that's OK."

At least, that's how I think it works :)