Service Worker: Disallow CORS responses for same-origin requests.

With this change, a service worker can no longer respond to a request whose mode is 'same-origin' with a response whose type is 'cors'. This is a security measure added to the Fetch specification via and



Editor's draft

Status in Chromium


Enabled by default (tracking bug) in:

  • Chrome for desktop release 66
  • Chrome for Android release 66
  • Android WebView release 66

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.


Last updated on 2018-03-28