Out-Of-Renderer Cross-Origin Resource Sharing (aka OOR-CORS or OutOfBlinkCors)

Cross-Origin Resource Sharing (CORS) is an established web standard protocol to protect servers from unexpected cross-origin network accesses. Chrome implemented the CORS protocol in the rendering engine, Blink, running in a renderer process before this change. However, once the OOR-CORS feature is enabled, it inspects network accesses in the network service, running in a separate process.

OOR-CORS solves several architectural and security issues: 1. Provides a reliable CORS implementation running in a separate process. 2. Solves a historical design problem that full-featured CORS implementation is available only in Blink core parts, XHR and Fetch APIs, and simplified version is used in other places. 3. Solves historical design problems that HTTP requests created or modified by some internal modules can not be inspected by CORS.

Documentation

Specification

Established standard

Status in Chromium

Blink>SecurityFeature>CORS


Behind a flag (tracking bug) in:

  • Chrome for desktop release 79
  • Chrome for Android release 79
  • Android WebView release 79

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Shipped
  • Shipped
  • Shipped
  • No signals

Owner

Last updated on 2019-10-07