How to detect that a response failed a CORS check?

[Christian Biesinger]

Hello,

We currently have implemented a URLLoaderThrottle that takes certain actions for same-origin requests.

We are considering changing it to same-site requests that passed CORS checks. My question is, can a URLLoaderThrottle tell from a network::mojom::URLResponseHead (possibly in combination with a network::ResourceRequest) that CORS checks have failed?

(The throttle is created in this function, if it matters: https://source.chromium.org/chromium/chromium/src/+/main:chrome/renderer/url_loader_throttle_provider_impl.cc;l=145;drc=67d90538f11c6b232dbfd716075db52aeb34fd15;bpv=1;bpt=1 )

Thanks!
Christian

[Matt Menke]

Disclaimer:  I'm not a CORS expert.

If CORS is enabled and CORS checks fail, the underlying URLLoader in the network process returns an error to the caller rather than the actual response.  If CORS isn't enabled, we don't do CORS checks.

Since this code is in the renderer, the request presumably already has CORS enabled, so it should get an error of some sort if CORS checks fail.

--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAPTJ0XHeiwbaXBW0AHW0OrwAR%2Baqo00eWEmMS4f6uz_D5w5vmQ%40mail.gmail.com.