I got a weird CORS behavior that if I register a URI scheme, gtk:// for example. If the page is loaded with that URI scheme, and then using fetch or XHR inside that webview to any server that enables CORS, it will got the following errors. > [Error] Origin is not allowed by Access-Control-Allow-Origin. > [Error] Fetch API cannot load http://mockbin.org/bin/123fj399fiv due to access control checks. > [Error] Failed to load resource: Origin is not allowed by Access-Control-Allow-Origin. The origin seems to be empty, not even null. But if I checked in the devtools, the origin will be there (gtk://localhost for example) Setting Access-Control-Allow-Origin: * will pass, but any others won't(gtk://, gtk://*, gtk://localhost... etc). Functions webkit_security_manager_register_uri_scheme_as_cors_enabled(security_manager, "gtk") didn't work either.
Here's the example to test with: https://github.com/wusyong/gtkbrowser/tree/cors It enables "gtk://" URL scheme and sets the scheme with cors enabled. It also enables the devtool to help us easier to debug. I used mockbin to test several options: https://mockbin.org/ It has code snippets to let you copy the fetch request and paste it to devtool of the window directly to see the result. Only Access-Control-Allow-Origin: * will work. gtk://, gtk://*, gtk://index.html all will get empty origin.