Great explanation of exactly how the Access-Control-Allow-Origin header works. Explains choreography in detail and touches upon concepts of simple versus non-simple HTTP requests, OPTIONS requests and explains that the network fetch actually does happen but the Browser refuses to process it any further and throws XMLHttpRequest error if the right conditions are not met.

This SO answer nails it. NB: I had to tweak some scripts — a running example is available in my playground/http/multipart-post directory.

TLDR: browsers will generate an HTTP POST request with a Content-Type: multipart/form-data header when displaying an HTML form with an enctype='multipart/formdata' attribute.