CORS exists to prevent malicious sites from making authenticated requests to your bank, email, etc. on your behalf. The rule: a script running on evil.com can't fetch data from bank.com unless bank.com explicitly responds with an Access-Control-Allow-Origin header naming evil.com (or * for any origin).
For YouTube downloaders: video bytes come from googlevideo.com. Standard fetch from a JS environment on vidpickr.com would be blocked unless googlevideo.com sent the CORS header. It does for some specific use cases (the YouTube player itself) but not for everyone.
VidPickr's architecture works around this by having the user's browser fetch from our /stream endpoint on vidpickr.com, which proxies to googlevideo.com from the server side (where CORS doesn't apply). The user's browser only ever sees same-origin requests. From the browser's perspective, no CORS issue exists.
Common questions
Why can I display a YouTube thumbnail on my site but not embed the video?
Related terms
Signed URL
A signed URL is a download link with cryptographic parameters that authenticate the request and expire after a set time.
Service worker
A service worker is a script that runs in the background of a website, separate from the main page, intercepting network requests and providing offline support.
VidPickr is a free, browser-based YouTube downloader. Every term in this glossary either describes how YouTube delivers video or why your downloads behave the way they do. Try the downloader →