New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Last visit 22 days ago
Closed: Feb 2018
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Sign in to add a comment

Issue 800234: Do not allow CORS responses to "same-origin" requests

Reported by, Jan 9 2018 Project Member

Issue description

Comment 1 by, Jan 16 2018

I'd like to work on this.

Comment 2 by, Jan 17 2018

Status: Assigned (was: Available)
That's great news! I've assigned the bug to you.

Comment 3 by, Jan 24 2018

Description: Show this description

Comment 4 by, Jan 24 2018

One small thing I noticed is that one of the WPT from Mozilla started to pass before this CL landed:
Is there something wrong with this test, or am I missing something here?

Comment 5 by, Jan 24 2018

Chrome fails to load the worker script for that test, but for an unrelated reason.  It was failing the test before:

-FAIL Verify worker script intercepted by cors response succeeds promise_test: Unhandled rejection with value: undefined
+PASS Verify worker script intercepted by cors response fails

I think its probably failing to intercept the worker script for the same reason its failing the first test in the file as well.

The spec currently requires that worker script loads be treated as non-subresource loads, so they should be intercepted even if the parent document is not controlled.  It seems chrome is currently treating them like subresource loads and requires the parent document to be controlled.

If you want, you could change this test to create a controlled frame and load the worker from there.  It would isolate the behavior that is trying to be tested from the "are worker scripts subresources" question.

Comment 6 by, Jan 24 2018

Or we could make the test not get a 404 for the worker script if the service worker does not intercept.  The "network" response could post a message indicating the wrong script was loaded or something.

Comment 7 by, Jan 24 2018

Project Member
The following revision refers to this bug:

commit 2e1f3c3724269c16527397f488530cd68003bf16
Author: Yannic Bonenberger <>
Date: Wed Jan 24 17:47:48 2018

Do not allow CORS responses to "same-origin" requests

This matches the change in the Fetch spec:

This CL also removes the UseCounter for cross-origin CORS responses to
same-origin requests because it will be unreachable after hereafter.

Chrome status:

Bug:  800234 ,  784018 
Change-Id: Id843a302fa5d0614de1c3ef1c0a39bcf92f7e3ef
Reviewed-by: Matt Falkenhagen <>
Reviewed-by: Tsuyoshi Horo <>
Reviewed-by: Daniel Cheng <>
Commit-Queue: Yannic Bonenberger <>
Cr-Commit-Position: refs/heads/master@{#531594}

Comment 8 by, Feb 1 2018

Labels: -M-65 M-66
Status: Fixed (was: Assigned)
Landed in 66.0.3331.0

Sign in to add a comment