electron · zcbenz · Sep 17, 2020 · Sep 15, 2020
diff --git a/shell/browser/electron_browser_client.cc b/shell/browser/electron_browser_client.cc
@@ -1517,10 +1517,11 @@ void ElectronBrowserClient::OverrideURLLoaderFactoryParams(
     const url::Origin& origin,
     bool is_for_isolated_world,
     network::mojom::URLLoaderFactoryParams* factory_params) {
-  // Bypass CORB when web security is disabled.
+  // Bypass CORB and CORS when web security is disabled.
   auto it = process_preferences_.find(factory_params->process_id);
   if (it != process_preferences_.end() && !it->second.web_security) {
     factory_params->is_corb_enabled = false;
+    factory_params->disable_web_security = true;
   }
 
   extensions::URLLoaderFactoryManager::OverrideURLLoaderFactoryParams(

diff --git a/spec-main/chromium-spec.ts b/spec-main/chromium-spec.ts
@@ -246,6 +246,40 @@ describe('web security', () => {
     await p;
   });
 
+  it('engages CORS when web security is not disabled', async () => {
+    const w = new BrowserWindow({ show: false, webPreferences: { webSecurity: true, nodeIntegration: true } });
+    const p = emittedOnce(ipcMain, 'response');
+    await w.loadURL(`data:text/html,<script>
+        (async function() {
+          try {
+            await fetch('${serverUrl}');
+            require('electron').ipcRenderer.send('response', 'passed');
+          } catch {
+            require('electron').ipcRenderer.send('response', 'failed');
+          }
+        })();
+      </script>`);
+    const [, response] = await p;
+    expect(response).to.equal('failed');
+  });
+
+  it('bypasses CORS when web security is disabled', async () => {
+    const w = new BrowserWindow({ show: false, webPreferences: { webSecurity: false, nodeIntegration: true } });
+    const p = emittedOnce(ipcMain, 'response');
+    await w.loadURL(`data:text/html,<script>
+        (async function() {
+          try {
+            await fetch('${serverUrl}');
+            require('electron').ipcRenderer.send('response', 'passed');
+          } catch {
+            require('electron').ipcRenderer.send('response', 'failed');
+          }
+        })();
+      </script>`);
+    const [, response] = await p;
+    expect(response).to.equal('passed');
+  });
+
   it('does not crash when multiple WebContent are created with web security disabled', () => {
     const options = { webPreferences: { webSecurity: false } };
     const w1 = new BrowserWindow(options);