In short, because the download manager is used for requesting content as opposed to the regular fetching infrastructure in Blink (and beyond), we'll need to figure out a path towards properly supporting CORS.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/167601a35b397e3ee82f8198de38cc77c7b5492a commit 167601a35b397e3ee82f8198de38cc77c7b5492a Author: John Mellor <johnme@chromium.org> Date: Mon Sep 04 15:03:30 2017 [Background Fetch] Add security checks copied from Fetch Adds some security checks to the Background Fetch API, based on https://fetch.spec.whatwg.org/#main-fetch. 1. Blocks invalid URLs. 2. Blocks CSP violations. 3. Blocks blacklisted ports. 4. Blocks credentials embedded in the url. 5. Blocks protocols other than http:// and https:// (https://github.com/WICG/background-fetch/issues/44). 6. Blocks Mixed Content (with an additional restriction that insecure http: cannot be requested from http://127.0.0.1). 7. Blocks URLs with dangling markup. 8. Temporarily blocks requests that require a CORS preflight, as BackgroundFetchCrossOriginFilter cannot yet handle them safely. This restriction will be lifted eventually. Bug: 711354, 757441 Change-Id: I3d93c861ce4cbc9f460f61f3ed38a65131c2a620 Reviewed-on: https://chromium-review.googlesource.com/582007 Commit-Queue: John Mellor <johnme@chromium.org> Reviewed-by: Peter Beverloo <peter@chromium.org> Cr-Commit-Position: refs/heads/master@{#499500} [modify] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/content/browser/background_fetch/background_fetch_request_info.cc [modify] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/content/browser/background_fetch/background_fetch_response.h [add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/content-security-policy.https.window.js [add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/credentials-in-url.https.window.js [add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/dangling-markup.https.window.js [add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/mixed-content-and-allowed-schemes.https.window-expected.txt [add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/mixed-content-and-allowed-schemes.https.window.js [add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/port-blocking.https.window-expected.txt [add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/port-blocking.https.window.js [add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/resources/sw.js [add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/resources/utils.js [add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/http/tests/background_fetch/block-cors-preflights.https.html [add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/http/tests/background_fetch/resources/utils.js [modify] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/Source/modules/background_fetch/BackgroundFetchManager.cpp
Handing over Background Fetch bugs to Peter.
Comment 1 by tyoshino@chromium.org
, Jun 23 2017