CORS options

%3CLINGO-SUB%20id%3D%22lingo-sub-422801%22%20slang%3D%22en-US%22%3ECORS%20options%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-422801%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20a%20developer%20and%20I'm%20often%20annoyed%20with%20same%20origin%20policy.%20I%20would%20love%20to%20have%20a%20switch%20to%20disable%20CORS%20when%20working%20with%20localhost%20or%20the%20intranet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20of%20the%20most%20annoyed%20thing%20in%20Chrome%20is%20having%20a%20CORS%20error%20message%20for%20something%20not%20related%20to%20CORS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20your%20plans%20regading%20CORS%20on%20the%20new%20Edge%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20beeing%20said%2C%20I%20just%20looked%20at%20the%20flags%20in%20about%3Aflags%20and%20found%20%22%3CSPAN%3EOut%20of%20blink%20CORS%22.%20I%20found%20some%20reference%20on%20the%20internet%20but%20I%20can't%20figure%20out%20the%20purpose%20of%20this%20flag.%20Someone%20knows%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-681551%22%20slang%3D%22en-US%22%3ERe%3A%20CORS%20options%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-681551%22%20slang%3D%22en-US%22%3EGenerally%20speaking%2C%20CORS%20policies%20are%20based%20on%20web%20standards%20and%20should%20be%20identical%20across%20browsers.%20As%20a%20consequence%2C%20Edge%20behavior%20can%20be%20expected%20to%20match%20Chrome's.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20are%20seeing%20an%20incorrect%20message%2C%20please%20provide%20repro%20steps%20and%20we%20will%20investigate.%20%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20Out-of-Blink-CORS%20flag%20should%20have%20no%20visible%20impact%20on%20anything.%20What%20it%20does%20is%20move%20CORS%20checks%20out%20of%20the%20(potentially%20compromised%20Renderer%20process)%20to%20a%20more%20trustworthy%20process%2C%20thus%20providing%20higher%20protection%20against%20cross-origin%20data%20theft.%20%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20exists%20a%20command%20line%20switch%20which%20disables%20web%20security%20(including%20CORS)%20but%20I'd%20advise%20against%20using%20it%2C%20as%20it%20is%20unsafe%20and%20it%20will%20hide%20bugs.%3C%2FLINGO-BODY%3E
sylvainrodrigue
Occasional Contributor

I'm a developer and I'm often annoyed with same origin policy. I would love to have a switch to disable CORS when working with localhost or the intranet.

 

One of the most annoyed thing in Chrome is having a CORS error message for something not related to CORS.

 

What is your plans regading CORS on the new Edge ?

 

That beeing said, I just looked at the flags in about:flags and found "Out of blink CORS". I found some reference on the internet but I can't figure out the purpose of this flag. Someone knows?

 

Thanks.

 

 

 

1 Reply
Generally speaking, CORS policies are based on web standards and should be identical across browsers. As a consequence, Edge behavior can be expected to match Chrome's.

If you are seeing an incorrect message, please provide repro steps and we will investigate.

The Out-of-Blink-CORS flag should have no visible impact on anything. What it does is move CORS checks out of the (potentially compromised Renderer process) to a more trustworthy process, thus providing higher protection against cross-origin data theft.

There exists a command line switch which disables web security (including CORS) but I'd advise against using it, as it is unsafe and it will hide bugs.