PSA: Enforce CORS in subresource SignedExchange prefetching

Skip to first unread message

Kunihiko Sakamoto

Aug 8, 2022, 1:25:25 AM8/8/22
to blink-dev

Contact emails



Changes the request mode and credentials mode of prefetch requests used in Subresource prefetching+loading via Signed HTTP Exchange ( Currently SignedExchange subresource prefetches (triggered by Link: rel="alternate") are requested with "no-cors" mode. After this change, SignedExchange subresource prefetches will be requested with "cors" mode and "same-origin" credentials mode. That means, subresource SignedExchanges prefetched from cross-origin must have an appropriate Access-Control-Allow-Origin response header.


Using no-cors mode for subresource SignedExchange prefetching was not a well-thought-out decision. In principle new features shouldn't use no-cors. Also, no-cors prefetches will be blocked once ORB (Opaque Response Blocking) is fully enabled (

See for more details and alternatives considered.

Blink component



If a SignedExchange prefetch fails with a CORS error, it will be reported on the DevTools' network tab and console.

Tracking bug

Estimated milestones

Shipping on desktop: 106

Shipping on Android: 106

Link to entry on the Chrome Platform Status

Domenic Denicola

Aug 8, 2022, 3:14:22 AM8/8/22
to Kunihiko Sakamoto, blink-dev
I'm really happy to see this change! It's important to hold the line on new web platform features being CORS-only, and big kudos to the team for doing this extra work.

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit
Reply all
Reply to author
0 new messages