Hi All,
I have a URLLoaderFactory proxy implementation [1] (originally based on AwProxyingURLLoaderFactory) where I intercept certain HTTP(S) requests via ContentBrowserClient::WillCreateURLLoaderFactory and handle them in the browser process using a custom URLLoader implementation [2]. In cases where I don't specify an "Access-Control-Allow-Origin" header, and when OutOfBlinkCors (OOR-CORS) is disabled, an XMLHttpRequest to the intercepted resource will be blocked as expected with a message like:
When OutOfBlinkCors is enabled the CORS restrictions are not applied and the XMLHttpRequest succeeds, which is not the expected behavior. I've also noticed that no "Origin" header is sent with the XHR request in this case.
This lack of CORS enforcement with OutOfBlinkCors is a problem for applications that load both internal and external resources. For example, an application might expose sensitive business logic via an intercepted HTTP request and expect CORS restrictions to keep untrusted content (like a third-party ad loaded in an iframe) from accessing it.
What would be the recommended approach for enforcing CORS restrictions for intercepted requests when OutOfBlinkCors is enabled? It seems that OutOfBlinkCors is implemented via CorsURLLoader which lives in the NetworkService process -- is possible to somehow route a request through a CorsURLLoader while still intercepting/handling it in the browser process?
Thanks,
Marshall