A
CORS policy[
^] is a mechanism designed to limit where requests can be made from into a particular resource. In this case, this is your REST API. The REST API is receiving the request and validating where it's coming from (in this case "localhost"), not finding it on an approved list of origins, and then blocking the request.
Depending on which framework/language you're using for your REST API, you may need to register "localhost" as an allowed origin.