electron: Electron 9.0.0 webSecurity option no longer disables CORS

Preflight Checklist

  • I have read the Contributing Guidelines for this project.
  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.

Issue Details

  • Electron Version: 9.0.0
  • Operating System: Windows 10 (1904)
  • Last Known Working Electron version: 8.2.0

Expected Behavior

Setting BrowserWindow webPreferences: { webSecurity: false } should disable the CORS policy

Actual Behavior

Although I am receiving the electron security warnings for “Disabled webSecurity”,“allowRunningInsecureContent” and “Insecure Content-Security-Policy” in the console I am still getting COR policy errors on my requests.

Here is an example:

Access to XMLHttpRequest at ‘http://localhost:8080/users/login’ from origin ‘http://localhost:3000’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 53
  • Comments: 34 (6 by maintainers)

Commits related to this issue

Most upvoted comments

I also have this problem. My temporary solution: app.commandLine.appendSwitch(‘disable-features’, ‘OutOfBlinkCors’);

+72
koczko on May 20, 2020

The webSecurity option controls the web security inside blink, but recently the control of CORS has been moved out of blink and thus the option no longer controls CORS.

I’ll see if there is another way to disable CORS, but it seems that Chromium no longer provides a way to disable CORS per WebContents so we might end up with adding a new session-side option.

+22
zcbenz on Sep 15, 2020

I also have this problem. My temporary solution: app.commandLine.appendSwitch(‘disable-features’, ‘OutOfBlinkCors’);

I needed both webSecurity : false and the command line switch to get rid of CORS errors when using dev-server and trying to access file:// protocol. But now I need another workaround to solve #23757

+11
vitto32 on Jun 10, 2020

For me only works if I set webSecurity: false, and app.commandLine.appendSwitch('disable-site-isolation-trials')

+10
daltonmenezes on Sep 12, 2020

same problem, version 10.1.1

+9
ColorfulHorse on Sep 4, 2020

same problem in 9.1.0, app.commandLine.appendSwitch('disable-features', 'OutOfBlinkCors'); is works to me, but i wish somebody fix it.

+8
YouLiLiao on Jul 16, 2020

It seems to me that this was done on purpose. Based on this recommendation: https://www.electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity

This is probably done so that people would not thoughtlessly turn off all policies at once.

+7
gormonn on Sep 14, 2020

The label on this issue shouldn’t be limited to Platform/Windows. It’s happening for macOS too.

+7
galaxode on Sep 9, 2020

@Bug-Reaper It’s chromium flags, so you can find it here

Thanks for the link @daltonmenezes 😃 perhaps official docs should list all chrome flags or link and explain those are available options at least.

The webSecurity option controls the web security inside blink, but recently the control of CORS has been moved out of blink and thus the option no longer controls CORS.

I’ll see if there is another way to disable CORS, but it seems that Chromium no longer provides a way to disable CORS per WebContents so we might end up with adding a new session-side option.

@zcbenz thank you for the explanation, this makes a lot of sense! Really happy to have some more insight about what’s going on here. Also saw you made a PR, thanks a million!

+2
Bug-Reaper on Sep 15, 2020

It seems to me that this was done on purpose. Based on this recommendation: https://www.electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity

This is probably done so that people would not thoughtlessly turn off all policies at once.

Sure, but the problem is still that we can’t use it for development purposes. Without it we can’t develop using local backend servers.

+2
davidchalifoux on Sep 14, 2020

Would like to note that this bug does not seem to be platform-specific - we are experiencing this on Linux and macOS in addition to Windows.

+2
flotwig on Aug 28, 2020

The same behavior happens on MacOS. It is not specific to Windows only.

+2
danutzcodrescu on Jul 23, 2020

This is also a problem for me (linux)

+2
Bug-Reaper on Jul 23, 2020

For me only works if I set webSecurity: false, and app.commandLine.appendSwitch('disable-site-isolation-trials')

@daltonmenezes This was reported here: https://github.com/electron/electron/issues/18214 It no longer works for me as of 9.0.0, hence this issue. Does webSecurity: false work for you in 9.0.0?

It seems to me that this was done on purpose.

@gormonn I don’t think so, or else it would have been documented by the Electron team. That doc has been around for a while, if they were going to remove the API on purpose they would have said something

+1
flotwig on Sep 14, 2020

EDIT: never mind, after some more testing, this has the opposite problem. It seems like enableBlinkFeatures/disableBlinkFeatures just don’t work with OutOfBlinkCors.

Okay, it’s weird, but here’s how you can disable webSecurity on a per-BrowserWindow basis:

  1. On app startup, disable the Blink feature globally: app.commandLine.appendSwitch('disable-features', 'OutOfBlinkCors')
  2. Then, whenever you want to create a BrowserWindow WITHOUT webSecurity disabled (the default), pass: options.webPreferences.enableBlinkFeatures = 'OutOfBlinkCors'

Inverting the options in this manner seems to work. Not sure why the original approach of just using disableBlinkFeatures doesn’t work.

+1
flotwig on Aug 27, 2020
Read more comments on GitHub
← electron: Electron 8.0.1 Segmentation fault (core dumped)
electron: Electron 9.x + Redux DevTools: Store not found →