This is actually by design and doesn’t really have anything to do with coinbase.
TL;DR: If the request comes from the browser/frontend, it won’t work. If the request comes from a server/backend (node.js in your case), you’re fine.
Basically, when you make a request from a browser, it sends a bunch of authentication stuff that has been stored in your browser so the server you are sending the request to knows who you are. It gets this stuff when you log in to the site.
This is a security risk. I could make a website called badwebsite.com. If you visit it, I could make a request from your browser to coinbase.com, and if you’re logged in to coinbase I could make some trades or do whatever I want since it would send your legitimate coinbase auth stuff with the request.
The solution: Your browser will ask the coinbase.com server what sites are allowed to make requests. Coinbase responds with a list. Your browser will check if the website making the request is on the list. Since badwebsite.com is not on the list, your browser refuses to make the request. This stops badwebsite.com from doing stuff on coinbase with your coinbase credentials.
It’s a concept that’s a little hard to grasp when you’re just developing on your own computer, because it feels like the request comes from the same computer either way, which is true. The difference is that when you send the request from node, it’s coming from the backend. Node doesn’t have any of the stuff that’s stored in the browser, and can’t get anything unless you give it to node manually, ie with a form for api keys or log in with coinbase or whatever.
The reason you see " from origin http://localhost:3000" is because that’s what your browser sees as the url for your website.
You’ll probably run into this again elsewhere in the future, and might see some tips on how to disable CORS in the browser. This is terrible advice, never disable CORS. Huge security risk.
One use for allowing a site through CORS is if you had a website, like goodwebsite.com, and you want to log some statistics for your users at another site, like userlogs.com. You might add goodwebsite.com to the CORS list on userlogs.com. Then when a user is doing something on goodwebsite.com, you can make an api call to userlogs.com to log some data, and the user’s browser will be okay with that because it sees goodwebsite.com on the CORS allow list. This is the meaning of CORS. Cross-Origin Resource Sharing. resources (userlogs) are being shared across two different origins (goodwebsite and userlogs).
Probably more info than you were looking for lol but I hope that clears it up for you.