Cross-Origin Resource Sharing (CORS) is an established web standard protocol to protect servers from unexpected cross-origin network accesses. Chrome implemented the CORS protocol in the rendering engine, Blink, running in a renderer process before this change. However, once the OOR-CORS feature is enabled, it inspects network accesses in the network service, running in a separate process.

Motivation

OOR-CORS solves several architectural and security issues: 1. Provides a reliable CORS implementation running in a separate process. 2. Solves a historical design problem that full-featured CORS implementation is available only in Blink core parts, XHR and Fetch APIs, and simplified version is used in other places. 3. Solves historical design problems that HTTP requests created or modified by some internal modules can not be inspected by CORS.

Documentation

Specification

Specification link


Unknown standards status - check spec link for status

Status in Chromium

Blink>SecurityFeature>CORS


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Shipped/Shipping
  • Shipped/Shipping
  • Shipped/Shipping
  • No signals

Owner

Comments

Launch for WebView is rescheduled.

Search tags

CORS,

Last updated on 2021-08-16