fix: disable CORS when webSecurity is disabled (#25504)

Co-authored-by: Cheng Zhao <zcbenz@gmail.com>
2026-04-10 03:01:51 -04:00 · 2020-09-17 10:22:25 +09:00
parent c1d04d8e49
commit a22dfc813f
2 changed files with 36 additions and 1 deletions
--- a/shell/browser/electron_browser_client.cc
+++ b/shell/browser/electron_browser_client.cc
@@ -1507,10 +1507,11 @@ void ElectronBrowserClient::OverrideURLLoaderFactoryParams(
    const url::Origin& origin,
    bool is_for_isolated_world,
    network::mojom::URLLoaderFactoryParams* factory_params) {
-  // Bypass CORB when web security is disabled.
+  // Bypass CORB and CORS when web security is disabled.
  auto it = process_preferences_.find(factory_params->process_id);
  if (it != process_preferences_.end() && !it->second.web_security) {
    factory_params->is_corb_enabled = false;
+    factory_params->disable_web_security = true;
  }

  extensions::URLLoaderFactoryManager::OverrideURLLoaderFactoryParams(
--- a/spec-main/chromium-spec.ts
+++ b/spec-main/chromium-spec.ts
@@ -246,6 +246,40 @@ describe('web security', () => {
    await p;
  });

+  it('engages CORS when web security is not disabled', async () => {
+    const w = new BrowserWindow({ show: false, webPreferences: { webSecurity: true, nodeIntegration: true } });
+    const p = emittedOnce(ipcMain, 'response');
+    await w.loadURL(`data:text/html,<script>
+        (async function() {
+          try {
+            await fetch('${serverUrl}');
+            require('electron').ipcRenderer.send('response', 'passed');
+          } catch {
+            require('electron').ipcRenderer.send('response', 'failed');
+          }
+        })();
+      </script>`);
+    const [, response] = await p;
+    expect(response).to.equal('failed');
+  });
+
+  it('bypasses CORS when web security is disabled', async () => {
+    const w = new BrowserWindow({ show: false, webPreferences: { webSecurity: false, nodeIntegration: true } });
+    const p = emittedOnce(ipcMain, 'response');
+    await w.loadURL(`data:text/html,<script>
+        (async function() {
+          try {
+            await fetch('${serverUrl}');
+            require('electron').ipcRenderer.send('response', 'passed');
+          } catch {
+            require('electron').ipcRenderer.send('response', 'failed');
+          }
+        })();
+      </script>`);
+    const [, response] = await p;
+    expect(response).to.equal('passed');
+  });
+
  it('does not crash when multiple WebContent are created with web security disabled', () => {
    const options = { webPreferences: { webSecurity: false } };
    const w1 = new BrowserWindow(options);