Fetches may originate from other origins to support CDNs, but we must not allow access to content that otherwise wouldn’t be accessible.
We currently block every kind of background fetch request that needs CORS preflight. Why? We use DownloadManager to download items and CORS preflight code is in blink currently, which DownloadManager shouldn't talk to. (because that would require us to spin up a renderer process and that's expensive).
The move of CORS preflight logic to network service should be done by Q3, shipping will take longer but we can start building on it then.
This bug is a tracker for that work. Once we do have CORS preflight support, we can stop blocking all background fetches that need it.
Relevant docs:
CORS Support in Network Service:
https://docs.google.com/document/d/1JNmUcvbw2UcjfdI2uyUpveHXCbae-DQ1n8d_sVs5fLg/edit?usp=sharing
Out-of-Blink Fetch/CORS:
https://docs.google.com/document/d/1mIk2or1y8nXHSQXQ6mJLGp3gLrtImONIuYhHtx1zInM/edit?usp=sharing
Comment 1 by na...@chromium.org
, Dec 17