The correct option is Cross Origin Resource Sharing (CORS).

Cross Origin Resource Sharing (CORS) is a browser enforced policy that controls whether web pages served from a different origin can make requests to your API. The server indicates allowed origins by returning response headers such as Access-Control-Allow-Origin and related CORS headers and the browser will block or allow the call accordingly. For non simple requests the browser issues a preflight OPTIONS request and the server must respond with the appropriate headers to permit the actual request. Properly configuring CORS on the API is the way to prevent web pages from other domains from invoking the endpoints in a browser while still allowing approved origins.

Azure Active Directory is an identity and access management service that handles authentication and authorization and it does not control browser cross origin request behavior. You can require tokens from Azure AD to protect an API but that does not replace the browser enforced CORS checks.

Cross Site Scripting (XSS) is a type of client side vulnerability where attackers inject malicious scripts into web pages and it is not a mechanism for controlling cross origin requests. XSS is something to prevent rather than the control that governs whether a page from another origin can call an API.

OAuth 2.0 is an authorization framework used to obtain and use access tokens and it addresses who can access resources rather than whether browsers are allowed to make cross origin requests. OAuth is often used alongside CORS but it does not implement the browser policy that blocks cross origin calls.

Full AWS Practitioner Certification Question