mirror of
https://github.com/LadybirdBrowser/ladybird
synced 2026-04-26 17:55:07 +02:00
6539c72e7e
JavaScript module requests (in a non-worker context) always have CORS enabled. However, CORS requests are only allowed for same-origin or HTTP/S requests. This patch extends this to allow resource:// requests from opaque origins (e.g. about: URLs). We must also set the Access-Control-Allow-Origin header to "null" to ensure that the response is accepted by the CORS checks. This does not affect requesting resource:// URLs from resource:// URLs as those are same-origin and skip CORS checks. This ultimately enables requesting resource:// JS modules from the about:settings page.