I'm reading through this Spring Boot Security tutorial:
It it it states:
You might not see the 401 because the browser treats the home page load as a single interaction, and you might see 2 requests for "/resource" because there is a CORS negotiation.
A different port or protocol or subdomain also constitutes a different origin within the same origin policy.
So if you make request from
http://localhost:8080 it is subject to CORS.