Cross-Origin Resource Sharing (CORS) is an established web standard protocol to protect servers from unexpected cross-origin network accesses. Chrome implemented the CORS protocol in the rendering engine, Blink, running in a renderer process before this change. However, once the OOR-CORS feature is enabled, it inspects network accesses in the network service, running in a separate process.
Motivation
OOR-CORS solves several architectural and security issues: 1. Provides a reliable CORS implementation running in a separate process. 2. Solves a historical design problem that full-featured CORS implementation is available only in Blink core parts, XHR and Fetch APIs, and simplified version is used in other places. 3. Solves historical design problems that HTTP requests created or modified by some internal modules can not be inspected by CORS.
Documentation
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://developer.chrome.com/extensions/webRequest
- https://docs.google.com/document/d/1JNmUcvbw2UcjfdI2uyUpveHXCbae-DQ1n8d_sVs5fLg/edit?usp=sharing
- https://docs.google.com/document/d/1Aqhx9dOkv0ZI5CDg8zxafPC-JTA66Cu6e_Tu9i5G6wQ/edit?usp=sharing
- https://docs.google.com/document/d/1M5GwH27os-Q3nNmBeZFMsZVThz49wQKCrC6xXFL9oR4/edit?usp=sharing
Specification
Unknown standards status - check spec link for status
Status in Chromium
Enabled by default
(tracking bug)
Consensus & Standardization
- Shipped/Shipping
- Shipped/Shipping
- No signals
Owner
Search tags
CORS,Last updated on 2021-12-13
Comments
Launch for WebView is rescheduled.