Cross-Origin Resource Sharing (CORS) is an established web standard protocol to protect servers from unexpected cross-origin network accesses. Chrome implemented the CORS protocol in the rendering engine, Blink, running in a renderer process before this change. However, once the OOR-CORS feature is enabled, it inspects network accesses in the network service, running in a separate process.
OOR-CORS solves several architectural and security issues: 1. Provides a reliable CORS implementation running in a separate process. 2. Solves a historical design problem that full-featured CORS implementation is available only in Blink core parts, XHR and Fetch APIs, and simplified version is used in other places. 3. Solves historical design problems that HTTP requests created or modified by some internal modules can not be inspected by CORS.
Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS https://developer.chrome.com/extensions/webRequest https://docs.google.com/document/d/1JNmUcvbw2UcjfdI2uyUpveHXCbae-DQ1n8d_sVs5fLg/edit?usp=sharing https://docs.google.com/document/d/1Aqhx9dOkv0ZI5CDg8zxafPC-JTA66Cu6e_Tu9i5G6wQ/edit?usp=sharing https://docs.google.com/document/d/1M5GwH27os-Q3nNmBeZFMsZVThz49wQKCrC6xXFL9oR4/edit?usp=sharing
Explainers: https://docs.google.com/document/d/1JNmUcvbw2UcjfdI2uyUpveHXCbae-DQ1n8d_sVs5fLg/edit?usp=sharing