Blog

Selenium Grid: CORS across cross-origin iframes, third-party widgets, and remote WebDriver sessions

When embedded widgets call your API, tests must validate both parent page origin and iframe sandbox attributes.

Published: 2027-08-14Updated: 2027-08-161 min read

seleniume2ecors

BiDi and CDP

Chrome DevTools Protocol hooks can log headers—use them to assert Access-Control-* on responses.

BiDi may evolve CORS semantics in future releases—pin browser versions in Grid.

Queues that starve sessions can cause timeouts that look like CORS failures in flaky dashboards.

Health checks on nodes should not hit APIs that require credentialed cookies unless you replicate user sessions.