diff --git a/shell/browser/electron_browser_client.cc b/shell/browser/electron_browser_client.cc
index 9ee0aeaaf584b..a2617d601ccd8 100644
--- a/shell/browser/electron_browser_client.cc
+++ b/shell/browser/electron_browser_client.cc
@@ -1517,10 +1517,11 @@ void ElectronBrowserClient::OverrideURLLoaderFactoryParams(
const url::Origin& origin,
bool is_for_isolated_world,
network::mojom::URLLoaderFactoryParams* factory_params) {
- // Bypass CORB when web security is disabled.
+ // Bypass CORB and CORS when web security is disabled.
auto it = process_preferences_.find(factory_params->process_id);
if (it != process_preferences_.end() && !it->second.web_security) {
factory_params->is_corb_enabled = false;
+ factory_params->disable_web_security = true;
}
extensions::URLLoaderFactoryManager::OverrideURLLoaderFactoryParams(
diff --git a/spec-main/chromium-spec.ts b/spec-main/chromium-spec.ts
index aa1fb9b61e787..a0dfc5503d7ca 100644
--- a/spec-main/chromium-spec.ts
+++ b/spec-main/chromium-spec.ts
@@ -246,6 +246,40 @@ describe('web security', () => {
await p;
});
+ it('engages CORS when web security is not disabled', async () => {
+ const w = new BrowserWindow({ show: false, webPreferences: { webSecurity: true, nodeIntegration: true } });
+ const p = emittedOnce(ipcMain, 'response');
+ await w.loadURL(`data:text/html,`);
+ const [, response] = await p;
+ expect(response).to.equal('failed');
+ });
+
+ it('bypasses CORS when web security is disabled', async () => {
+ const w = new BrowserWindow({ show: false, webPreferences: { webSecurity: false, nodeIntegration: true } });
+ const p = emittedOnce(ipcMain, 'response');
+ await w.loadURL(`data:text/html,`);
+ const [, response] = await p;
+ expect(response).to.equal('passed');
+ });
+
it('does not crash when multiple WebContent are created with web security disabled', () => {
const options = { webPreferences: { webSecurity: false } };
const w1 = new BrowserWindow(options);