Blog

Electron apps and localhost CORS: custom protocols and webSecurity

Electron can disable webSecurity in dev only; production builds should mirror real browser constraints.

Published: 2025-10-12Updated: 2025-10-151 min read

electrondesktopcors

Partitioned sessions

Isolate session partitions per account to avoid token bleed between embedded webviews.

If you embed remote sites, their CORS rules still apply to fetch from that origin.

Run smoke tests with webSecurity enabled before release.

Document which origins your packaged app whitelists for API calls.