This patch modifies the Android KitKat release (version 4.4) so that the
Cross-Origin Resource Sharing (CORS) web browsing functionality can be
disabled at runtime to avoid the associated severe security and privacy
risks.

The web browsers to be used also need to be modified by applying additional
patches, so that they are able to control the new CORS settings (patches are
included here to tackle the default Android browser and other two selected
ones).

 external/chromium_org/android_webview/java/src/org/chromium/android_webview/AwSettings.java |   84 ++++++++++
 external/chromium_org/android_webview/native/aw_settings.cc                                 |    9 +
 external/chromium_org/content/public/common/common_param_traits_macros.h                    |    3 
 external/chromium_org/content/renderer/web_preferences.cc                                   |    4 
 external/chromium_org/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp              |   21 ++
 external/chromium_org/third_party/WebKit/Source/core/frame/Settings.in                      |    3 
 external/chromium_org/third_party/WebKit/Source/core/loader/DocumentLoader.cpp              |   13 +
 external/chromium_org/third_party/WebKit/Source/core/loader/LinkLoader.cpp                  |   16 +
 external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.cpp                     |   15 +
 external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.h                       |    3 
 external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.cpp                      |   62 +++++++
 external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.h                        |   34 ++++
 external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-arm.mk                |    1 
 external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-mips.mk               |    1 
 external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-x86.mk                |    1 
 external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-arm.mk                 |    1 
 external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-mips.mk                |    1 
 external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-x86.mk                 |    1 
 external/chromium_org/third_party/WebKit/public/web/WebSettings.h                           |    3 
 external/chromium_org/webkit/common/webpreferences.cc                                       |    3 
 external/chromium_org/webkit/common/webpreferences.h                                        |    3 
 frameworks/base/core/java/android/webkit/WebSettings.java                                   |   51 ++++++
 22 files changed, 332 insertions(+), 1 deletion(-)

diff -pruN a/external/chromium_org/android_webview/java/src/org/chromium/android_webview/AwSettings.java b/external/chromium_org/android_webview/java/src/org/chromium/android_webview/AwSettings.java
--- a/external/chromium_org/android_webview/java/src/org/chromium/android_webview/AwSettings.java	2017-12-06 14:44:28.758823578 +0100
+++ b/external/chromium_org/android_webview/java/src/org/chromium/android_webview/AwSettings.java	2017-12-09 17:55:55.772716933 +0100
@@ -71,6 +71,9 @@ public class AwSettings {
     private boolean mJavaScriptEnabled = false;
     private boolean mAllowUniversalAccessFromFileURLs = false;
     private boolean mAllowFileAccessFromFileURLs = false;
+    private boolean mDisableCORS = false;
+    private boolean mEnableCORSSameDomain = true;
+    private boolean mDisableCORSRedirection = false;
     private boolean mJavaScriptCanOpenWindowsAutomatically = false;
     private boolean mSupportMultipleWindows = false;
     private PluginState mPluginState = PluginState.OFF;
@@ -892,6 +895,42 @@ public class AwSettings {
     }
 
     /**
+     * See {@link android.webkit.WebSettings#setDisableCORS}.
+     */
+    public void setDisableCORS(boolean flag) {
+        synchronized (mAwSettingsLock) {
+            if (mDisableCORS != flag) {
+                mDisableCORS = flag;
+                mEventHandler.updateWebkitPreferencesLocked();
+            }
+        }
+    }
+
+    /**
+     * See {@link android.webkit.WebSettings#setEnableCORSSameDomain}.
+     */
+    public void setEnableCORSSameDomain(boolean flag) {
+        synchronized (mAwSettingsLock) {
+            if (mEnableCORSSameDomain != flag) {
+                mEnableCORSSameDomain = flag;
+                mEventHandler.updateWebkitPreferencesLocked();
+            }
+        }
+    }
+
+    /**
+     * See {@link android.webkit.WebSettings#setDisableCORSRedirection}.
+     */
+    public void setDisableCORSRedirection(boolean flag) {
+        synchronized (mAwSettingsLock) {
+            if (mDisableCORSRedirection != flag) {
+                mDisableCORSRedirection = flag;
+                mEventHandler.updateWebkitPreferencesLocked();
+            }
+        }
+    }
+
+    /**
      * See {@link android.webkit.WebSettings#setLoadsImagesAutomatically}.
      */
     public void setLoadsImagesAutomatically(boolean flag) {
@@ -991,6 +1030,51 @@ public class AwSettings {
     }
 
     /**
+     * See {@link android.webkit.WebSettings#getDisableCORS}.
+     */
+    public boolean getDisableCORS() {
+        synchronized (mAwSettingsLock) {
+            return mDisableCORS;
+        }
+    }
+
+    @CalledByNative
+    private boolean getDisableCORSLocked() {
+        assert Thread.holdsLock(mAwSettingsLock);
+        return mDisableCORS;
+    }
+
+    /**
+     * See {@link android.webkit.WebSettings#getEnableCORSSameDomain}.
+     */
+    public boolean getEnableCORSSameDomain() {
+        synchronized (mAwSettingsLock) {
+            return mEnableCORSSameDomain;
+        }
+    }
+
+    @CalledByNative
+    private boolean getEnableCORSSameDomainLocked() {
+        assert Thread.holdsLock(mAwSettingsLock);
+        return mEnableCORSSameDomain;
+    }
+
+    /**
+     * See {@link android.webkit.WebSettings#getDisableCORSRedirection}.
+     */
+    public boolean getDisableCORSRedirection() {
+        synchronized (mAwSettingsLock) {
+            return mDisableCORSRedirection;
+        }
+    }
+
+    @CalledByNative
+    private boolean getDisableCORSRedirectionLocked() {
+        assert Thread.holdsLock(mAwSettingsLock);
+        return mDisableCORSRedirection;
+    }
+
+    /**
      * See {@link android.webkit.WebSettings#setPluginsEnabled}.
      */
     public void setPluginsEnabled(boolean flag) {
diff -pruN a/external/chromium_org/android_webview/native/aw_settings.cc b/external/chromium_org/android_webview/native/aw_settings.cc
--- a/external/chromium_org/android_webview/native/aw_settings.cc	2017-11-24 05:28:28.242415892 +0100
+++ b/external/chromium_org/android_webview/native/aw_settings.cc	2017-12-09 17:57:13.161716617 +0100
@@ -274,6 +274,15 @@ void AwSettings::PopulateWebPreferencesL
   web_prefs->allow_file_access_from_file_urls =
       Java_AwSettings_getAllowFileAccessFromFileURLsLocked(env, obj);
 
+  web_prefs->disable_cors =
+      Java_AwSettings_getDisableCORSLocked(env, obj);
+
+  web_prefs->enable_cors_same_domain =
+      Java_AwSettings_getEnableCORSSameDomainLocked(env, obj);
+
+  web_prefs->disable_cors_redirection =
+      Java_AwSettings_getDisableCORSRedirectionLocked(env, obj);
+
   web_prefs->javascript_can_open_windows_automatically =
       Java_AwSettings_getJavaScriptCanOpenWindowsAutomaticallyLocked(env, obj);
 
diff -pruN a/external/chromium_org/content/public/common/common_param_traits_macros.h b/external/chromium_org/content/public/common/common_param_traits_macros.h
--- a/external/chromium_org/content/public/common/common_param_traits_macros.h	2017-11-24 05:29:42.423415589 +0100
+++ b/external/chromium_org/content/public/common/common_param_traits_macros.h	2017-12-09 00:52:02.984968088 +0100
@@ -112,6 +112,9 @@ IPC_STRUCT_TRAITS_BEGIN(WebPreferences)
   IPC_STRUCT_TRAITS_MEMBER(is_online)
   IPC_STRUCT_TRAITS_MEMBER(allow_universal_access_from_file_urls)
   IPC_STRUCT_TRAITS_MEMBER(allow_file_access_from_file_urls)
+  IPC_STRUCT_TRAITS_MEMBER(disable_cors)
+  IPC_STRUCT_TRAITS_MEMBER(enable_cors_same_domain)
+  IPC_STRUCT_TRAITS_MEMBER(disable_cors_redirection)
   IPC_STRUCT_TRAITS_MEMBER(webaudio_enabled)
   IPC_STRUCT_TRAITS_MEMBER(experimental_webgl_enabled)
   IPC_STRUCT_TRAITS_MEMBER(experimental_websocket_enabled)
diff -pruN a/external/chromium_org/content/renderer/web_preferences.cc b/external/chromium_org/content/renderer/web_preferences.cc
--- a/external/chromium_org/content/renderer/web_preferences.cc	2017-11-24 05:29:43.652415584 +0100
+++ b/external/chromium_org/content/renderer/web_preferences.cc	2017-12-07 02:16:25.619653846 +0100
@@ -177,6 +177,10 @@ void ApplyWebPreferences(const WebPrefer
   settings->setAllowFileAccessFromFileURLs(
       prefs.allow_file_access_from_file_urls);
 
+  settings->setDisableCORS(prefs.disable_cors);
+  settings->setEnableCORSSameDomain(prefs.enable_cors_same_domain);
+  settings->setDisableCORSRedirection(prefs.disable_cors_redirection);
+
   // Enable the web audio API if requested on the command line.
   settings->setWebAudioEnabled(prefs.webaudio_enabled);
 
diff -pruN a/external/chromium_org/third_party/WebKit/public/web/WebSettings.h b/external/chromium_org/third_party/WebKit/public/web/WebSettings.h
--- a/external/chromium_org/third_party/WebKit/public/web/WebSettings.h	2017-12-05 15:16:14.065937762 +0100
+++ b/external/chromium_org/third_party/WebKit/public/web/WebSettings.h	2017-11-25 00:12:44.100304803 +0100
@@ -75,6 +75,9 @@ public:
     virtual void setAcceleratedFiltersEnabled(bool) = 0;
     virtual void setAllowDisplayOfInsecureContent(bool) = 0;
     virtual void setAllowFileAccessFromFileURLs(bool) = 0;
+    virtual void setDisableCORS(bool) = 0;
+    virtual void setEnableCORSSameDomain(bool) = 0;
+    virtual void setDisableCORSRedirection(bool) = 0;
     virtual void setAllowCustomScrollbarInMainFrame(bool) = 0;
     virtual void setAllowRunningOfInsecureContent(bool) = 0;
     virtual void setAllowScriptsToCloseWindows(bool) = 0;
diff -pruN a/external/chromium_org/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp b/external/chromium_org/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp
--- a/external/chromium_org/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp	2017-12-05 15:23:04.093936085 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp	2017-12-11 23:53:34.836776064 +0100
@@ -64,6 +64,7 @@
 #include "platform/weborigin/SecurityPolicy.h"
 #include "public/platform/Platform.h"
 #include "public/platform/WebURL.h"
+#include "wtf/InternetDomain.h"
 #include "wtf/text/CString.h"
 #include "wtf/text/WTFString.h"
 
@@ -442,6 +443,23 @@ bool ResourceFetcher::canRequest(Resourc
         return 0;
     }
 
+    bool disableCORS = (frame() && frame()->settings() && frame()->settings()->disableCORS());
+    bool enableCORSSameDomain = (frame() && frame()->settings() && frame()->settings()->enableCORSSameDomain());
+
+    if (frame() && frame()->document() && disableCORS) {
+        if (enableCORSSameDomain) {
+            String requestDomain = topDomain(url.host());
+            String documentDomain = topDomain(frame()->document()->url().host());
+            if (!equalIgnoringCase(requestDomain, documentDomain) && type != Resource::MainResource) {
+                WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource Resource blocked by Cross-Origin Resource Sharing policy");
+                return 0;
+            }
+        } else if (!equalIgnoringCase(url.host(), frame()->document()->url().host()) && type != Resource::MainResource) {
+                WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource Resource blocked by Cross-Origin Resource Sharing policy");
+                return 0;
+        }
+    }
+
     // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
     bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->script().shouldBypassMainWorldContentSecurityPolicy()) || (options.contentSecurityPolicyOption == DoNotCheckContentSecurityPolicy);
 
@@ -609,7 +627,8 @@ ResourcePtr<Resource> ResourceFetcher::r
     const RevalidationPolicy policy = determineRevalidationPolicy(type, request.mutableResourceRequest(), request.forPreload(), resource.get(), request.defer());
     switch (policy) {
     case Reload:
-        memoryCache()->remove(resource.get());
+        if (resource)
+            memoryCache()->remove(resource.get());
         // Fall through
     case Load:
         resource = loadResource(type, request, request.charset());
diff -pruN a/external/chromium_org/third_party/WebKit/Source/core/frame/Settings.in b/external/chromium_org/third_party/WebKit/Source/core/frame/Settings.in
--- a/external/chromium_org/third_party/WebKit/Source/core/frame/Settings.in	2017-12-05 15:15:37.453937911 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/core/frame/Settings.in	2017-11-24 23:52:35.012297032 +0100
@@ -66,6 +66,9 @@ caretBrowsingEnabled initial=false
 localStorageEnabled initial=false
 allowUniversalAccessFromFileURLs initial=true
 allowFileAccessFromFileURLs initial=true
+disableCORS initial=false
+enableCORSSameDomain initial=true
+disableCORSRedirection initial=false
 javaScriptCanOpenWindowsAutomatically initial=false
 supportsMultipleWindows initial=true
 javaScriptCanAccessClipboard initial=false
diff -pruN a/external/chromium_org/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/external/chromium_org/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
--- a/external/chromium_org/third_party/WebKit/Source/core/loader/DocumentLoader.cpp	2017-11-24 05:31:16.307415205 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/core/loader/DocumentLoader.cpp	2017-12-12 22:01:53.209450235 +0100
@@ -61,6 +61,7 @@
 #include "public/platform/Platform.h"
 #include "public/platform/WebMimeRegistry.h"
 #include "wtf/Assertions.h"
+#include "wtf/InternetDomain.h"
 #include "wtf/text/WTFString.h"
 
 namespace WebCore {
@@ -417,6 +418,18 @@ void DocumentLoader::willSendRequest(Res
         return;
     }
 
+    bool disableCORSRedirection = (frame() && frame()->settings() && frame()->settings()->disableCORSRedirection());
+    if (frame() && frame()->document() && disableCORSRedirection) {
+        if (!redirectResponse.url().host().isEmpty()) {
+            String redirectDomain = topDomain(redirectResponse.url().host());
+            String documentDomain = topDomain(frame()->document()->url().host());
+            if (!equalIgnoringCase(redirectDomain, documentDomain)) {
+                cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url()));
+                return;
+            }
+        } 
+    }
+
     ASSERT(timing()->fetchStart());
     if (!redirectResponse.isNull()) {
         // If the redirecting url is not allowed to display content from the target origin,
diff -pruN a/external/chromium_org/third_party/WebKit/Source/core/loader/LinkLoader.cpp b/external/chromium_org/third_party/WebKit/Source/core/loader/LinkLoader.cpp
--- a/external/chromium_org/third_party/WebKit/Source/core/loader/LinkLoader.cpp	2017-12-05 15:15:50.773937857 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/core/loader/LinkLoader.cpp	2017-12-08 16:34:43.952090078 +0100
@@ -40,6 +40,8 @@
 #include "core/loader/PrerenderHandle.h"
 #include "core/frame/Settings.h"
 #include "platform/network/DNS.h"
+#include "wtf/InternetDomain.h"
+#include "wtf/text/WTFString.h"
 
 namespace WebCore {
 
@@ -100,6 +102,20 @@ void LinkLoader::didSendDOMContentLoaded
 
 bool LinkLoader::loadLink(const LinkRelAttribute& relAttribute, const String& type, const KURL& href, Document& document)
 {
+    bool disableCORS = (document.settings() && document.settings()->disableCORS());
+    bool enableCORSSameDomain = (document.settings() && document.settings()->enableCORSSameDomain());
+
+    if (disableCORS) {
+        if (enableCORSSameDomain) {
+            String requestDomain = topDomain(href.host());
+            String documentDomain = topDomain(document.url().host());
+            if (!documentDomain.isEmpty() && !equalIgnoringCase(requestDomain, documentDomain))
+                return false;
+        } else if (!document.url().host().isEmpty() && href.host() != document.url().host()) {
+                return false;
+        }
+    }
+
     if (relAttribute.isDNSPrefetch()) {
         Settings* settings = document.settings();
         // FIXME: The href attribute of the link element can be in "//hostname" form, and we shouldn't attempt
diff -pruN a/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.cpp b/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.cpp
--- a/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.cpp	2017-12-05 15:14:52.178938096 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.cpp	2017-12-09 16:51:49.369732659 +0100
@@ -367,6 +367,21 @@ void WebSettingsImpl::setAllowFileAccess
     m_settings->setAllowFileAccessFromFileURLs(allow);
 }
 
+void WebSettingsImpl::setDisableCORS(bool disabled)
+{
+    m_settings->setDisableCORS(disabled);
+}
+
+void WebSettingsImpl::setEnableCORSSameDomain(bool enabled)
+{
+    m_settings->setEnableCORSSameDomain(enabled);
+}
+
+void WebSettingsImpl::setDisableCORSRedirection(bool disabled)
+{
+    m_settings->setDisableCORSRedirection(disabled);
+}
+
 void WebSettingsImpl::setTouchDragDropEnabled(bool enabled)
 {
     m_settings->setTouchDragDropEnabled(enabled);
diff -pruN a/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.h b/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.h
--- a/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.h	2017-12-05 15:15:11.140938019 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.h	2017-11-24 23:56:31.641298553 +0100
@@ -68,6 +68,9 @@ public:
     virtual void setAcceleratedFiltersEnabled(bool);
     virtual void setAllowDisplayOfInsecureContent(bool);
     virtual void setAllowFileAccessFromFileURLs(bool);
+    virtual void setDisableCORS(bool);
+    virtual void setEnableCORSSameDomain(bool);
+    virtual void setDisableCORSRedirection(bool);
     virtual void setAllowCustomScrollbarInMainFrame(bool);
     virtual void setAllowRunningOfInsecureContent(bool);
     virtual void setAllowScriptsToCloseWindows(bool);
diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.cpp b/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.cpp
--- a/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.cpp	1970-01-01 01:00:00.000000000 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.cpp	2017-12-09 00:30:42.445973323 +0100
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2017 Guido Trentalancia (guido@trentalancia.com)
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ */
+
+#include "config.h"
+#include "InternetDomain.h"
+
+#include "wtf/text/StringBuilder.h"
+#include "wtf/Vector.h"
+
+#if OS(WIN)
+#include <windows.h>
+#endif
+
+using namespace WTF;
+
+namespace WTF {
+
+String topDomain(const String& domain)
+{
+    size_t size;
+    Vector<String> domainVector;
+
+    domain.split('.', domainVector);
+    size = domainVector.size();
+
+    if (!size)
+        return String("");
+
+    if (size >= 3) {
+        domainVector.reverse();
+        domainVector.shrink(2);
+        domainVector.reverse();
+        size = domainVector.size();
+    }
+
+    StringBuilder stringBuilder;
+    for (size_t i = 0; i < size; ++i) {
+        stringBuilder.append(domainVector[i]);
+        if (i < size - 1)
+            stringBuilder.append('.');
+    }
+
+    return stringBuilder.toString();
+}
+
+} // namespace WTF
diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.h b/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.h
--- a/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.h	1970-01-01 01:00:00.000000000 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.h	2017-12-09 00:31:03.684973236 +0100
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2017 Guido Trentalancia (guido@trentalancia.com)
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ */
+
+#ifndef InternetDomain_h
+#define InternetDomain_h
+
+#include <stdint.h>
+#include <string.h>
+#include "wtf/text/WTFString.h"
+#include "wtf/WTFExport.h"
+
+namespace WTF {
+
+WTF_EXPORT String topDomain(const String& domain);
+
+} // namespace WTF
+
+#endif // InternetDomain_h
diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-arm.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-arm.mk
--- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-arm.mk	2017-12-05 15:43:27.057931085 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-arm.mk	2017-12-05 15:45:59.676930461 +0100
@@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \
 	third_party/WebKit/Source/wtf/GregorianDateTime.cpp \
 	third_party/WebKit/Source/wtf/HashTable.cpp \
 	third_party/WebKit/Source/wtf/InstanceCounter.cpp \
+	third_party/WebKit/Source/wtf/InternetDomain.cpp \
 	third_party/WebKit/Source/wtf/MainThread.cpp \
 	third_party/WebKit/Source/wtf/NullPtr.cpp \
 	third_party/WebKit/Source/wtf/NumberOfCores.cpp \
diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-mips.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-mips.mk
--- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-mips.mk	2017-12-05 15:43:49.163930995 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-mips.mk	2017-12-05 15:46:14.698930400 +0100
@@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \
 	third_party/WebKit/Source/wtf/GregorianDateTime.cpp \
 	third_party/WebKit/Source/wtf/HashTable.cpp \
 	third_party/WebKit/Source/wtf/InstanceCounter.cpp \
+	third_party/WebKit/Source/wtf/InternetDomain.cpp \
 	third_party/WebKit/Source/wtf/MainThread.cpp \
 	third_party/WebKit/Source/wtf/NullPtr.cpp \
 	third_party/WebKit/Source/wtf/NumberOfCores.cpp \
diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-x86.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-x86.mk
--- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-x86.mk	2017-12-05 15:43:54.973930971 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-x86.mk	2017-12-05 15:46:26.012930354 +0100
@@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \
 	third_party/WebKit/Source/wtf/GregorianDateTime.cpp \
 	third_party/WebKit/Source/wtf/HashTable.cpp \
 	third_party/WebKit/Source/wtf/InstanceCounter.cpp \
+	third_party/WebKit/Source/wtf/InternetDomain.cpp \
 	third_party/WebKit/Source/wtf/MainThread.cpp \
 	third_party/WebKit/Source/wtf/NullPtr.cpp \
 	third_party/WebKit/Source/wtf/NumberOfCores.cpp \
diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-arm.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-arm.mk
--- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-arm.mk	2017-12-05 15:43:34.995931053 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-arm.mk	2017-12-05 15:45:17.331930635 +0100
@@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \
 	third_party/WebKit/Source/wtf/GregorianDateTime.cpp \
 	third_party/WebKit/Source/wtf/HashTable.cpp \
 	third_party/WebKit/Source/wtf/InstanceCounter.cpp \
+	third_party/WebKit/Source/wtf/InternetDomain.cpp \
 	third_party/WebKit/Source/wtf/MainThread.cpp \
 	third_party/WebKit/Source/wtf/NullPtr.cpp \
 	third_party/WebKit/Source/wtf/NumberOfCores.cpp \
diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-mips.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-mips.mk
--- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-mips.mk	2017-12-05 15:43:41.554931026 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-mips.mk	2017-12-05 15:45:40.593930539 +0100
@@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \
 	third_party/WebKit/Source/wtf/GregorianDateTime.cpp \
 	third_party/WebKit/Source/wtf/HashTable.cpp \
 	third_party/WebKit/Source/wtf/InstanceCounter.cpp \
+	third_party/WebKit/Source/wtf/InternetDomain.cpp \
 	third_party/WebKit/Source/wtf/MainThread.cpp \
 	third_party/WebKit/Source/wtf/NullPtr.cpp \
 	third_party/WebKit/Source/wtf/NumberOfCores.cpp \
diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-x86.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-x86.mk
--- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-x86.mk	2017-12-05 15:43:17.384931125 +0100
+++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-x86.mk	2017-12-05 15:44:51.975930738 +0100
@@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \
 	third_party/WebKit/Source/wtf/GregorianDateTime.cpp \
 	third_party/WebKit/Source/wtf/HashTable.cpp \
 	third_party/WebKit/Source/wtf/InstanceCounter.cpp \
+	third_party/WebKit/Source/wtf/InternetDomain.cpp \
 	third_party/WebKit/Source/wtf/MainThread.cpp \
 	third_party/WebKit/Source/wtf/NullPtr.cpp \
 	third_party/WebKit/Source/wtf/NumberOfCores.cpp \
diff -pruN a/external/chromium_org/webkit/common/webpreferences.cc b/external/chromium_org/webkit/common/webpreferences.cc
--- a/external/chromium_org/webkit/common/webpreferences.cc	2017-11-24 05:30:46.791415326 +0100
+++ b/external/chromium_org/webkit/common/webpreferences.cc	2017-12-07 02:45:00.745646834 +0100
@@ -45,6 +45,9 @@ WebPreferences::WebPreferences()
       is_online(true),
       allow_universal_access_from_file_urls(false),
       allow_file_access_from_file_urls(false),
+      disable_cors(false),
+      enable_cors_same_domain(true),
+      disable_cors_redirection(false),
       webaudio_enabled(false),
       experimental_webgl_enabled(false),
       flash_3d_enabled(true),
diff -pruN a/external/chromium_org/webkit/common/webpreferences.h b/external/chromium_org/webkit/common/webpreferences.h
--- a/external/chromium_org/webkit/common/webpreferences.h	2017-11-24 05:30:46.791415326 +0100
+++ b/external/chromium_org/webkit/common/webpreferences.h	2017-12-07 02:45:42.095646665 +0100
@@ -93,6 +93,9 @@ struct WEBKIT_COMMON_EXPORT WebPreferenc
   bool is_online;
   bool allow_universal_access_from_file_urls;
   bool allow_file_access_from_file_urls;
+  bool disable_cors;
+  bool enable_cors_same_domain;
+  bool disable_cors_redirection;
   bool webaudio_enabled;
   bool experimental_webgl_enabled;
   bool flash_3d_enabled;
diff -pru a/frameworks/base/core/java/android/webkit/WebSettings.java b/frameworks/base/core/java/android/webkit/WebSettings.java
--- a/frameworks/base/core/java/android/webkit/WebSettings.java	2017-11-24 05:55:02.811409373 +0100
+++ b/frameworks/base/core/java/android/webkit/WebSettings.java	2017-12-09 00:43:24.155970209 +0100
@@ -1018,6 +1018,27 @@ public abstract class WebSettings {
     public abstract void setAllowFileAccessFromFileURLs(boolean flag);
 
     /**
+     * Sets whether CORS is disabled. The default is false.
+     */
+    public synchronized void setDisableCORS(boolean flag) {
+        throw new MustOverrideException();
+    }
+
+    /**
+     * Sets whether CORS within the same domain is enabled. The default is true.
+     */
+    public synchronized void setEnableCORSSameDomain(boolean flag) {
+        throw new MustOverrideException();
+    }
+
+    /**
+     * Sets whether CORS Redirection is disabled. The default is false.
+     */
+    public synchronized void setDisableCORSRedirection(boolean flag) {
+        throw new MustOverrideException();
+    }
+
+    /**
      * Sets whether the WebView should enable plugins. The default is false.
      *
      * @param flag true if plugins should be enabled
@@ -1245,6 +1266,36 @@ public abstract class WebSettings {
     public abstract boolean getAllowFileAccessFromFileURLs();
 
     /**
+     * Gets whether CORS is disabled
+     *
+     * @return whether CORS is disabled
+     * @see #setDisableCORS
+     */
+    public synchronized boolean getDisableCORS() {
+        throw new MustOverrideException();
+    }
+
+    /**
+     * Gets whether CORS within the same domain is enabled
+     *
+     * @return whether CORS within the same domain is enabled
+     * @see #setEnableCORSSameDomain
+     */
+    public synchronized boolean getEnableCORSSameDomain() {
+        throw new MustOverrideException();
+    }
+
+    /**
+     * Gets whether CORS Redirection is disabled
+     *
+     * @return whether CORS Redirection is disabled
+     * @see #setDisableCORSRedirection
+     */
+    public synchronized boolean getDisableCORSRedirection() {
+        throw new MustOverrideException();
+    }
+
+    /**
      * Gets whether plugins are enabled.
      *
      * @return true if plugins are enabled
