A cross-origin request is a request that was not created by code (html page, javascript, …)) of the same origin.
A cross site request shares the same top level domain but may be not of same origin if they don't have the same domain
A request that is not a cross-origin request is a same origin request.
A page may contain images or other components stored on servers in other domains (for example, ad banners), which performs then cross_origin request and may set third-party cookies. (Used mainly for advertising and tracking across the web)
You can prevent bad cross origin request:
Cookies from the same origin than the destination server are always sent cross-origin to enables user-specific cross-origin APIs
Only the following headers are allowed cross domain:
any others cause a CORS Pre-flight request.