I’m developing an Electron (v33.0.2) application and am struggling to understand how CORS is handled in the renderer process.
When making requests from the renderer process (not the main process), does Electron enforce CORS restrictions like a regular browser would? When I run my app locally (using vite) it consistently sends pre-flight requests with origin localhost:5173. I can see this in the developer tools network tab. However when I bundle and run my app (as a customer would run it in production), I do not see any pre-flight requests at all in the network tab. I’ve tested sending “complex” requests which should on paper be pre-flighted. I’m sure requests are being sent from the renderer process as the requests are being sent via React hooks (using fetch).
I’ve also noticed we have the nodeIntegration flag set on webPreferences which may have an impact here.
Would appreciate clarification on:
- Whether CORS is enforced in the Electron renderer process.
- Is CORS used on the
file://protocol? One difference between our dev and packaged app is that the origin in dev ishttp://localhost:5173, but the origin in the packaged app isfile://. - If setting
nodeIntegrationinfluences CORS behaviour.