← Back to release summary

Service Worker: Disallow CORS responses for same-origin requests.

Category

Service Worker

Type

New or changed feature

Status

Enabled by default (Chrome 66)

Intent stage

None

Summary

With this change, a service worker can no longer respond to a request whose mode is 'same-origin' with a response whose type is 'cors'. This is a security measure added to the Fetch specification via https://github.com/whatwg/fetch/issues/629 and https://github.com/whatwg/fetch/pull/655.

Standards & signals

• Specification: https://fetch.spec.whatwg.org/
• Firefox: Positive
• Safari: Positive
• Web developers: No signals
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=800234

Docs: https://github.com/whatwg/fetch/issues/629 https://github.com/whatwg/fetch/pull/655

View on chromestatus.com