Add the following new web settings to control Cross-Origin Resource Sharing (CORS) for improved security and privacy: - disable-cors: to disable the CORS mode (can be tested for example here: https://test-cors.appspot.com/#technical); - enable-cors-same-domain: to enable loading resources from a different site within the same domain (slightly less safe, but more functional); - disable-cors-redirection: to disable redirection (safer, but much less functional). This version of the patch is intended for the current stable branch (2.18.x). --- Source/WebCore/loader/LinkLoader.cpp | 16 + Source/WebCore/loader/SubresourceLoader.cpp | 47 ++++ Source/WebCore/loader/SubresourceLoader.h | 3 Source/WebCore/loader/cache/CachedResourceLoader.cpp | 21 ++ Source/WebCore/page/Page.h | 5 Source/WebCore/page/Settings.in | 3 Source/WebKit/Shared/WebPreferencesDefinitions.h | 3 Source/WebKit/UIProcess/API/C/WKPreferences.cpp | 30 +++ Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp | 180 +++++++++++++++++++ Source/WebKit/UIProcess/API/gtk/WebKitSettings.h | 21 ++ Source/WebKit/WebProcess/WebPage/WebPage.cpp | 3 11 files changed, 329 insertions(+), 3 deletions(-) diff -pru webkitgtk-2.18.2-orig/Source/WebCore/loader/cache/CachedResourceLoader.cpp webkitgtk-2.18.2/Source/WebCore/loader/cache/CachedResourceLoader.cpp --- webkitgtk-2.18.2-orig/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2017-08-18 09:28:45.000000000 +0200 +++ webkitgtk-2.18.2/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2017-11-20 14:40:39.857969815 +0100 @@ -59,6 +59,7 @@ #include "Page.h" #include "PingLoader.h" #include "PlatformStrategies.h" +#include "PublicSuffix.h" #include "RenderElement.h" #include "ResourceLoadInfo.h" #include "ResourceTiming.h" @@ -691,6 +692,9 @@ void CachedResourceLoader::updateHTTPReq CachedResourceHandle CachedResourceLoader::requestResource(CachedResource::Type type, CachedResourceRequest&& request, ForPreload forPreload, DeferOption defer) { + bool disableCORS = frame()->page()->isCORSDisabled(); + bool enableCORSSameDomain = frame()->page()->isCORSSameDomainEnabled(); + if (Document* document = this->document()) request.upgradeInsecureRequestIfNeeded(*document); @@ -703,6 +707,20 @@ CachedResourceHandle Cac return nullptr; } + if (disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topPrivatelyControlledDomain(url.host()); + String documentDomain = topPrivatelyControlledDomain(frame()->document()->url().host()); + if (!equalIgnoringASCIICase(requestDomain, documentDomain) && type != CachedResource::MainResource) { + RELEASE_LOG_IF_ALLOWED("requestResource: Resource blocked by Cross-Origin Resource Sharing policy (frame = %p)", frame()); + return nullptr; + } + } else if (!equalIgnoringASCIICase(url.host(), frame()->document()->url().host()) && type != CachedResource::MainResource) { + RELEASE_LOG_IF_ALLOWED("requestResource: Resource blocked by Cross-Origin Resource Sharing policy (frame = %p)", frame()); + return nullptr; + } + } + prepareFetch(type, request); // We are passing url as well as request, as request url may contain a fragment identifier. @@ -770,7 +788,8 @@ CachedResourceHandle Cac RevalidationPolicy policy = determineRevalidationPolicy(type, request, resource.get(), forPreload, defer); switch (policy) { case Reload: - memoryCache.remove(*resource); + if (resource) + memoryCache.remove(*resource); FALLTHROUGH; case Load: if (resource) diff -pru webkitgtk-2.18.2-orig/Source/WebCore/loader/LinkLoader.cpp webkitgtk-2.18.2/Source/WebCore/loader/LinkLoader.cpp --- webkitgtk-2.18.2-orig/Source/WebCore/loader/LinkLoader.cpp 2017-08-14 17:09:39.000000000 +0200 +++ webkitgtk-2.18.2/Source/WebCore/loader/LinkLoader.cpp 2017-11-18 21:10:52.354463912 +0100 @@ -49,6 +49,8 @@ #include "LinkRelAttribute.h" #include "MIMETypeRegistry.h" #include "MediaQueryEvaluator.h" +#include "Page.h" +#include "PublicSuffix.h" #include "RuntimeEnabledFeatures.h" #include "Settings.h" #include "StyleResolver.h" @@ -244,6 +246,20 @@ void LinkLoader::cancelLoad() bool LinkLoader::loadLink(const LinkRelAttribute& relAttribute, const URL& href, const String& as, const String& media, const String& mimeType, const String& crossOrigin, Document& document) { + bool disableCORS = document.page()->isCORSDisabled(); + bool enableCORSSameDomain = document.page()->isCORSSameDomainEnabled(); + + if (disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topPrivatelyControlledDomain(href.host()); + String documentDomain = topPrivatelyControlledDomain(document.url().host()); + if (!documentDomain.isEmpty() && !equalIgnoringASCIICase(requestDomain, documentDomain)) + return false; + } else if (!document.url().host().isEmpty() && href.host() != document.url().host()) { + return false; + } + } + if (relAttribute.isDNSPrefetch) { // FIXME: The href attribute of the link element can be in "//hostname" form, and we shouldn't attempt // to complete that as URL . diff -pru webkitgtk-2.18.2-orig/Source/WebCore/loader/SubresourceLoader.cpp webkitgtk-2.18.2/Source/WebCore/loader/SubresourceLoader.cpp --- webkitgtk-2.18.2-orig/Source/WebCore/loader/SubresourceLoader.cpp 2017-11-10 20:58:21.939389930 +0100 +++ webkitgtk-2.18.2/Source/WebCore/loader/SubresourceLoader.cpp 2017-11-17 18:53:21.277850872 +0100 @@ -163,6 +163,39 @@ bool SubresourceLoader::isSubresourceLoa return true; } +bool SubresourceLoader::isCORSDisabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSDisabled(); +} + +bool SubresourceLoader::isCORSSameDomainEnabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSSameDomainEnabled(); +} + +bool SubresourceLoader::isCORSRedirectionDisabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSRedirectionDisabled(); +} + void SubresourceLoader::willSendRequestInternal(ResourceRequest& newRequest, const ResourceResponse& redirectResponse) { // Store the previous URL because the call to ResourceLoader::willSendRequest will modify it. @@ -486,14 +519,24 @@ bool SubresourceLoader::checkRedirection { bool crossOriginFlag = m_resource->isCrossOrigin(); bool isNextRequestCrossOrigin = m_origin && !m_origin->canRequest(newRequest.url()); + bool disableCORS = isCORSDisabled(); + bool disableCORSRedirection = isCORSRedirectionDisabled(); if (isNextRequestCrossOrigin) m_resource->setCrossOrigin(); ASSERT(options().mode != FetchOptions::Mode::SameOrigin || !m_resource->isCrossOrigin()); - if (options().mode != FetchOptions::Mode::Cors) - return true; + if (options().mode != FetchOptions::Mode::Cors) { + if (!disableCORS) { + return true; + } else { + if (!disableCORSRedirection) + return true; + else + return false; + } + } // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 8 & 9. if (m_resource->isCrossOrigin() && !isValidCrossOriginRedirectionURL(newRequest.url())) { diff -pru webkitgtk-2.18.2-orig/Source/WebCore/loader/SubresourceLoader.h webkitgtk-2.18.2/Source/WebCore/loader/SubresourceLoader.h --- webkitgtk-2.18.2-orig/Source/WebCore/loader/SubresourceLoader.h 2017-11-10 17:04:21.387447332 +0100 +++ webkitgtk-2.18.2/Source/WebCore/loader/SubresourceLoader.h 2017-11-15 01:36:36.785811637 +0100 @@ -48,6 +48,9 @@ public: void cancelIfNotFinishing(); bool isSubresourceLoader() override; + bool isCORSDisabled() const; + bool isCORSSameDomainEnabled() const; + bool isCORSRedirectionDisabled() const; CachedResource* cachedResource(); SecurityOrigin* origin() { return m_origin.get(); } diff -pru webkitgtk-2.18.2-orig/Source/WebCore/page/Page.h webkitgtk-2.18.2/Source/WebCore/page/Page.h --- webkitgtk-2.18.2-orig/Source/WebCore/page/Page.h 2017-08-18 09:28:45.000000000 +0200 +++ webkitgtk-2.18.2/Source/WebCore/page/Page.h 2017-11-17 03:49:18.639072631 +0100 @@ -33,6 +33,7 @@ #include "Region.h" #include "ScrollTypes.h" #include "SessionID.h" +#include "Settings.h" #include "Supplementable.h" #include "Timer.h" #include "UserInterfaceLayoutDirection.h" @@ -590,6 +591,10 @@ public: bool isLowPowerModeEnabled() const; WEBCORE_EXPORT void setLowPowerModeEnabledOverrideForTesting(std::optional); + bool isCORSDisabled() const { return m_settings->disableCORS(); } + bool isCORSSameDomainEnabled() const { return m_settings->enableCORSSameDomain(); } + bool isCORSRedirectionDisabled() const { return m_settings->disableCORSRedirection(); } + private: struct Navigation { String domain; diff -pru webkitgtk-2.18.2-orig/Source/WebCore/page/Settings.in webkitgtk-2.18.2/Source/WebCore/page/Settings.in --- webkitgtk-2.18.2-orig/Source/WebCore/page/Settings.in 2017-08-09 11:13:51.000000000 +0200 +++ webkitgtk-2.18.2/Source/WebCore/page/Settings.in 2017-11-12 00:59:01.247462115 +0100 @@ -52,6 +52,9 @@ preventKeyboardDOMEventDispatch initial= localStorageEnabled initial=false allowUniversalAccessFromFileURLs initial=true allowFileAccessFromFileURLs initial=true +disableCORS initial=false +enableCORSSameDomain initial=true +disableCORSRedirection initial=false needsStorageAccessFromFileURLsQuirk initial=true javaScriptCanOpenWindowsAutomatically initial=false javaScriptCanAccessClipboard initial=false diff -pru webkitgtk-2.18.2-orig/Source/WebKit/Shared/WebPreferencesDefinitions.h webkitgtk-2.18.2/Source/WebKit/Shared/WebPreferencesDefinitions.h --- webkitgtk-2.18.2-orig/Source/WebKit/Shared/WebPreferencesDefinitions.h 2017-10-17 16:24:07.000000000 +0200 +++ webkitgtk-2.18.2/Source/WebKit/Shared/WebPreferencesDefinitions.h 2017-11-12 00:59:01.276462115 +0100 @@ -172,6 +172,9 @@ macro(WebSecurityEnabled, webSecurityEnabled, Bool, bool, true, "", "") \ macro(AllowUniversalAccessFromFileURLs, allowUniversalAccessFromFileURLs, Bool, bool, false, "", "") \ macro(AllowFileAccessFromFileURLs, allowFileAccessFromFileURLs, Bool, bool, false, "", "") \ + macro(DisableCORS, disableCORS, Bool, bool, false, "", "") \ + macro(EnableCORSSameDomain, enableCORSSameDomain, Bool, bool, true, "", "") \ + macro(DisableCORSRedirection, disableCORSRedirection, Bool, bool, false, "", "") \ macro(AVFoundationEnabled, isAVFoundationEnabled, Bool, bool, true, "", "") \ macro(AVFoundationNSURLSessionEnabled, isAVFoundationNSURLSessionEnabled, Bool, bool, true, "", "") \ macro(GStreamerEnabled, isGStreamerEnabled, Bool, bool, true, "", "") \ diff -pru webkitgtk-2.18.2-orig/Source/WebKit/UIProcess/API/C/WKPreferences.cpp webkitgtk-2.18.2/Source/WebKit/UIProcess/API/C/WKPreferences.cpp --- webkitgtk-2.18.2-orig/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2017-08-09 11:13:52.000000000 +0200 +++ webkitgtk-2.18.2/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2017-11-12 00:59:01.294462115 +0100 @@ -745,6 +745,36 @@ bool WKPreferencesGetFileAccessFromFileU return toImpl(preferencesRef)->allowFileAccessFromFileURLs(); } +void WKPreferencesSetDisableCORS(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setDisableCORS(allowed); +} + +bool WKPreferencesGetDisableCORS(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->disableCORS(); +} + +void WKPreferencesSetEnableCORSSameDomain(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setEnableCORSSameDomain(allowed); +} + +bool WKPreferencesGetEnableCORSSameDomain(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->enableCORSSameDomain(); +} + +void WKPreferencesSetDisableCORSRedirection(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setDisableCORSRedirection(allowed); +} + +bool WKPreferencesGetDisableCORSRedirection(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->disableCORSRedirection(); +} + void WKPreferencesSetNeedsStorageAccessFromFileURLsQuirk(WKPreferencesRef preferencesRef, bool needsQuirk) { toImpl(preferencesRef)->setNeedsStorageAccessFromFileURLsQuirk(needsQuirk); diff -pru webkitgtk-2.18.2-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp webkitgtk-2.18.2/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp --- webkitgtk-2.18.2-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp 2017-09-11 08:15:45.000000000 +0200 +++ webkitgtk-2.18.2/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp 2017-11-12 17:59:52.157796721 +0100 @@ -153,6 +153,9 @@ enum { #if PLATFORM(GTK) PROP_HARDWARE_ACCELERATION_POLICY, #endif + PROP_DISABLE_CORS, + PROP_ENABLE_CORS_SAME_DOMAIN, + PROP_DISABLE_CORS_REDIRECTION, }; static void webKitSettingsConstructed(GObject* object) @@ -331,6 +334,15 @@ static void webKitSettingsSetProperty(GO webkit_settings_set_hardware_acceleration_policy(settings, static_cast(g_value_get_enum(value))); break; #endif + case PROP_DISABLE_CORS: + webkit_settings_set_disable_cors(settings, g_value_get_boolean(value)); + break; + case PROP_ENABLE_CORS_SAME_DOMAIN: + webkit_settings_set_enable_cors_same_domain(settings, g_value_get_boolean(value)); + break; + case PROP_DISABLE_CORS_REDIRECTION: + webkit_settings_set_disable_cors_redirection(settings, g_value_get_boolean(value)); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propId, paramSpec); break; @@ -499,6 +511,15 @@ static void webKitSettingsGetProperty(GO g_value_set_enum(value, webkit_settings_get_hardware_acceleration_policy(settings)); break; #endif + case PROP_DISABLE_CORS: + g_value_set_boolean(value, webkit_settings_get_disable_cors(settings)); + break; + case PROP_ENABLE_CORS_SAME_DOMAIN: + g_value_set_boolean(value, webkit_settings_get_enable_cors_same_domain(settings)); + break; + case PROP_DISABLE_CORS_REDIRECTION: + g_value_set_boolean(value, webkit_settings_get_disable_cors_redirection(settings)); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propId, paramSpec); break; @@ -1320,6 +1341,51 @@ static void webkit_settings_class_init(W WEBKIT_HARDWARE_ACCELERATION_POLICY_ON_DEMAND, readWriteConstructParamFlags)); #endif // PLATFOTM(GTK) + + /** + * WebKitSettings:disable-cors: + * + * Whether Cross Origin Resource Sharing (CORS) is disabled. + * + * Since: 2.18.4 + */ + g_object_class_install_property(gObjectClass, + PROP_DISABLE_CORS, + g_param_spec_boolean("disable-cors", + _("Disable Cross Origin Resource Sharing (CORS)"), + _("Whether Cross Origin Resource Sharing (CORS) is disabled."), + FALSE, + readWriteConstructParamFlags)); + + /** + * WebKitSettings:enable-cors-same-domain: + * + * Whether Cross Origin Resource Sharing (CORS) within the same domain is enabled. + * + * Since: 2.18.4 + */ + g_object_class_install_property(gObjectClass, + PROP_ENABLE_CORS_SAME_DOMAIN, + g_param_spec_boolean("enable-cors-same-domain", + _("Enable Cross Origin Resource Sharing (CORS) within the same domain"), + _("Whether Cross Origin Resource Sharing (CORS) within the same domain is enabled."), + TRUE, + readWriteConstructParamFlags)); + + /** + * WebKitSettings:disable-cors-redirection: + * + * Whether Cross Origin Resource Sharing (CORS) Redirection is disabled. + * + * Since: 2.18.4 + */ + g_object_class_install_property(gObjectClass, + PROP_DISABLE_CORS_REDIRECTION, + g_param_spec_boolean("disable-cors-redirection", + _("Disable Cross Origin Resource Sharing (CORS) Redirection"), + _("Whether Cross Origin Resource Sharing (CORS) Redirection is disabled."), + FALSE, + readWriteConstructParamFlags)); } WebPreferences* webkitSettingsGetPreferences(WebKitSettings* settings) @@ -3270,3 +3336,117 @@ void webkit_settings_set_hardware_accele g_object_notify(G_OBJECT(settings), "hardware-acceleration-policy"); } #endif // PLATFORM(GTK) + +/** + * webkit_settings_get_disable_cors: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:disable-cors property. + * + * Returns: %TRUE If CORS is disabled or %FALSE otherwise. + * + * Since: 2.18.4 + */ +gboolean webkit_settings_get_disable_cors(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->disableCORS(); +} + +/** + * webkit_settings_set_disable_cors: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:disable-cors property. + * + * Since: 2.18.4 + */ +void webkit_settings_set_disable_cors(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->disableCORS() == allowed) + return; + + priv->preferences->setDisableCORS(allowed); + g_object_notify(G_OBJECT(settings), "disable-cors"); +} + +/** + * webkit_settings_get_enable_cors_same_domain: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:enable-cors-same-domain property. + * + * Returns: %TRUE If CORS within the same domain is enabled or %FALSE otherwise. + * + * Since: 2.18.4 + */ +gboolean webkit_settings_get_enable_cors_same_domain(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->enableCORSSameDomain(); +} + +/** + * webkit_settings_set_enable_cors_same_domain: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:enable-cors-same-domain property. + * + * Since: 2.18.4 + */ +void webkit_settings_set_enable_cors_same_domain(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->enableCORSSameDomain() == allowed) + return; + + priv->preferences->setEnableCORSSameDomain(allowed); + g_object_notify(G_OBJECT(settings), "enable-cors-same-domain"); +} + +/** + * webkit_settings_get_disable_cors_redirection: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:disable-cors-redirection property. + * + * Returns: %TRUE If CORS redirection is disabled or %FALSE otherwise. + * + * Since: 2.18.4 + */ +gboolean webkit_settings_get_disable_cors_redirection(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->disableCORSRedirection(); +} + +/** + * webkit_settings_set_disable_cors_redirection: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:disable-cors-redirection property. + * + * Since: 2.18.4 + */ +void webkit_settings_set_disable_cors_redirection(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->disableCORSRedirection() == allowed) + return; + + priv->preferences->setDisableCORSRedirection(allowed); + g_object_notify(G_OBJECT(settings), "disable-cors-redirection"); +} diff -pru webkitgtk-2.18.2-orig/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h webkitgtk-2.18.2/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h --- webkitgtk-2.18.2-orig/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h 2017-08-09 11:13:52.000000000 +0200 +++ webkitgtk-2.18.2/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h 2017-11-12 00:59:01.295462115 +0100 @@ -451,6 +451,27 @@ WEBKIT_API void webkit_settings_set_hardware_acceleration_policy (WebKitSettings *settings, WebKitHardwareAccelerationPolicy policy); +WEBKIT_API gboolean +webkit_settings_get_disable_cors (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_disable_cors (WebKitSettings *settings, + gboolean allowed); + +WEBKIT_API gboolean +webkit_settings_get_enable_cors_same_domain (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_enable_cors_same_domain (WebKitSettings *settings, + gboolean allowed); + +WEBKIT_API gboolean +webkit_settings_get_disable_cors_redirection (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_disable_cors_redirection (WebKitSettings *settings, + gboolean allowed); + G_END_DECLS #endif /* WebKitSettings_h */ diff -pru webkitgtk-2.18.2-orig/Source/WebKit/WebProcess/WebPage/WebPage.cpp webkitgtk-2.18.2/Source/WebKit/WebProcess/WebPage/WebPage.cpp --- webkitgtk-2.18.2-orig/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2017-10-17 10:20:10.000000000 +0200 +++ webkitgtk-2.18.2/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2017-11-15 03:28:12.336784263 +0100 @@ -3077,6 +3077,9 @@ void WebPage::updatePreferences(const We settings.setWebSecurityEnabled(store.getBoolValueForKey(WebPreferencesKey::webSecurityEnabledKey())); settings.setAllowUniversalAccessFromFileURLs(store.getBoolValueForKey(WebPreferencesKey::allowUniversalAccessFromFileURLsKey())); settings.setAllowFileAccessFromFileURLs(store.getBoolValueForKey(WebPreferencesKey::allowFileAccessFromFileURLsKey())); + settings.setDisableCORS(store.getBoolValueForKey(WebPreferencesKey::disableCORSKey())); + settings.setEnableCORSSameDomain(store.getBoolValueForKey(WebPreferencesKey::enableCORSSameDomainKey())); + settings.setDisableCORSRedirection(store.getBoolValueForKey(WebPreferencesKey::disableCORSRedirectionKey())); settings.setNeedsStorageAccessFromFileURLsQuirk(store.getBoolValueForKey(WebPreferencesKey::needsStorageAccessFromFileURLsQuirkKey())); settings.setMinimumFontSize(store.getDoubleValueForKey(WebPreferencesKey::minimumFontSizeKey()));