This patch modifies the default web browser shipped with the Android KitKat
release (version 4.4) so that it can disable the Cross-Origin Resource
Sharing (CORS) functionality, thus avoiding the associated severe security
and privacy risks.

A modified WebKit (Chromium) library is required (see the other attached
patch).

 packages/apps/Browser/res/values/strings.xml                       |   10 +++++++
 packages/apps/Browser/res/xml/privacy_security_preferences.xml     |   14 ++++++++++
 packages/apps/Browser/src/com/android/browser/BrowserSettings.java |   10 +++++++
 3 files changed, 34 insertions(+)

diff -pru a/packages/apps/Browser/res/values/strings.xml b/packages/apps/Browser/res/values/strings.xml
--- a/packages/apps/Browser/res/values/strings.xml	2017-12-09 17:33:00.707722555 +0100
+++ b/packages/apps/Browser/res/values/strings.xml	2017-12-12 19:05:13.935493568 +0100
@@ -472,6 +472,16 @@
     <string name="pref_privacy_clear_geolocation_access_summary">Clear location access for all websites</string>
     <!-- Confirmation dialog message -->
     <string name="pref_privacy_clear_geolocation_access_dlg">Clear website location access?</string>
+    <!-- CORS settings category [CHAR-LIMIT=50] -->
+    <string name="pref_privacy_cors_title">Cross-Origin Resource Sharing (CORS)</string>
+    <!-- Settings label -->
+    <string name="pref_privacy_disable_cors">Disable CORS</string>
+    <!-- Settings summary -->
+    <string name="pref_privacy_disable_cors_summary">Disable Cross-Origin Resource Sharing</string>
+    <!-- Settings label -->
+    <string name="pref_privacy_enable_cors_same_domain">Enable CORS within the same domain</string>
+    <!-- Settings summary -->
+    <string name="pref_privacy_enable_cors_same_domain_summary">Enable Cross-Origin Resource Sharing within the same domain</string>
     <!-- Passwords settings category [CHAR-LIMIT=50] -->
     <string name="pref_security_passwords_title">Passwords</string>
     <!-- Settings label -->
diff -pru a/packages/apps/Browser/res/xml/privacy_security_preferences.xml b/packages/apps/Browser/res/xml/privacy_security_preferences.xml
--- a/packages/apps/Browser/res/xml/privacy_security_preferences.xml	2017-12-09 17:33:31.213722430 +0100
+++ b/packages/apps/Browser/res/xml/privacy_security_preferences.xml	2017-12-12 20:11:08.481477401 +0100
@@ -83,6 +83,20 @@
                 android:dialogIcon="@android:drawable/ic_dialog_alert"/>
     </PreferenceCategory>
 
+    <PreferenceCategory android:title="@string/pref_privacy_cors_title">
+        <CheckBoxPreference
+                android:key="disable_cors"
+                android:defaultValue="false"
+                android:title="@string/pref_privacy_disable_cors"
+                android:summary="@string/pref_privacy_disable_cors_summary" />
+        <CheckBoxPreference
+                android:key="enable_cors_same_domain"
+                android:dependency="disable_cors"
+                android:defaultValue="true"
+                android:title="@string/pref_privacy_enable_cors_same_domain"
+                android:summary="@string/pref_privacy_enable_cors_same_domain_summary" />
+    </PreferenceCategory>
+
     <PreferenceCategory android:title="@string/pref_security_passwords_title">
         <CheckBoxPreference
                 android:key="remember_passwords"
diff -pru a/packages/apps/Browser/src/com/android/browser/BrowserSettings.java b/packages/apps/Browser/src/com/android/browser/BrowserSettings.java
--- a/packages/apps/Browser/src/com/android/browser/BrowserSettings.java	2017-12-10 15:55:51.549246476 +0100
+++ b/packages/apps/Browser/src/com/android/browser/BrowserSettings.java	2017-12-12 19:06:02.697493368 +0100
@@ -249,6 +249,8 @@ public class BrowserSettings implements
      */
     private void syncSetting(WebSettings settings) {
         settings.setGeolocationEnabled(enableGeolocation());
+        settings.setDisableCORS(disableCORS());
+        settings.setEnableCORSSameDomain(enableCORSSameDomain());
         settings.setJavaScriptEnabled(enableJavascript());
         settings.setLightTouchEnabled(enableLightTouch());
         settings.setNavDump(enableNavDump());
@@ -817,6 +819,14 @@ public class BrowserSettings implements
         return mPrefs.getBoolean(PREF_ENABLE_GEOLOCATION, true);
     }
 
+    public boolean disableCORS() {
+        return mPrefs.getBoolean(PREF_DISABLE_CORS, false);
+    }
+
+    public boolean enableCORSSameDomain() {
+        return mPrefs.getBoolean(PREF_ENABLE_CORS_SAME_DOMAIN, true);
+    }
+
     public boolean rememberPasswords() {
         return mPrefs.getBoolean(PREF_REMEMBER_PASSWORDS, true);
     }