We maintain an application whose UI contains a QWebEngineView. The pages displayed in this view are taken from a local resource bundle, i.e. urls like qrc://mypage.html.
Some JS from the page does window.fetch(https://some.thi.ng) some url on Internet servers, with CORS enabled in the webview.
Everything was working fine with Qt 5.9.6. Yet, upgrading to Qt 5.12.1 introduced a CORS error:
Failed to load https://some.thi.ng: The 'Access-Control-Allow-Origin' header has a value 'qrc://' that is not equal to the supplied origin. Origin 'qrc://' is therefore not allowed access.
Well, it seems that it complains qrc:// is not equal to qrc://.
By using the webview chrome debugger, we could indeed confirm that the request sent an Origin header with value qrc://, and that the response did contain a Access-Control-Allow-Origin header with the same value.
By reading the reference on MDN, it seems that this is supposed to satisfy all criterions, and that the request should be conducted by the browser without any error.
Is it a problem that qrc:// is not a valid origin? A bug with the updated Qt chromium engine?
