diff --git a/chromium_src/services/network/cors/DEPS b/chromium_src/services/network/cors/DEPS
new file mode 100644
index 0000000000000..80c2ed7be20c1
--- /dev/null
+++ b/chromium_src/services/network/cors/DEPS
@@ -0,0 +1,3 @@
+include_rules = [
+  "+../../../../../services/network/cors",
+]
diff --git a/chromium_src/services/network/cors/cors_url_loader.cc b/chromium_src/services/network/cors/cors_url_loader.cc
new file mode 100644
index 0000000000000..686d7f67964b2
--- /dev/null
+++ b/chromium_src/services/network/cors/cors_url_loader.cc
@@ -0,0 +1,18 @@
+/* Copyright 2021 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+// Nullify the Origin header for cross-origin CORS requests
+// originating from a .onion address.
+#define BRAVE_CORS_URL_LOADER_START_REQUEST                        \
+  if (base::EndsWith(request_.request_initiator->host(), ".onion", \
+                     base::CompareCase::INSENSITIVE_ASCII) &&      \
+      !request_.request_initiator->IsSameOriginWith(               \
+          url::Origin::Create(request_.url))) {                    \
+    request_.headers.SetHeader(net::HttpRequestHeaders::kOrigin,   \
+                               url::Origin().Serialize());         \
+  } else /* NOLINT */
+
+#include "../../../../../services/network/cors/cors_url_loader.cc"
+#undef BRAVE_CORS_URL_LOADER_START_REQUEST
diff --git a/patches/services-network-cors-cors_url_loader.cc.patch b/patches/services-network-cors-cors_url_loader.cc.patch
new file mode 100644
index 0000000000000..40f708a6c2dc3
--- /dev/null
+++ b/patches/services-network-cors-cors_url_loader.cc.patch
@@ -0,0 +1,12 @@
+diff --git a/services/network/cors/cors_url_loader.cc b/services/network/cors/cors_url_loader.cc
+index dbacb3e96d1f46a6e5eb5080c69a7bb67058e27c..abb62f7cab19343998c3cd9d313348a5b0220bc6 100644
+--- a/services/network/cors/cors_url_loader.cc
++++ b/services/network/cors/cors_url_loader.cc
+@@ -528,6 +528,7 @@ void CorsURLLoader::StartRequest() {
+       (fetch_cors_flag_ ||
+        (request_.method != net::HttpRequestHeaders::kGetMethod &&
+         request_.method != net::HttpRequestHeaders::kHeadMethod))) {
++    BRAVE_CORS_URL_LOADER_START_REQUEST
+     if (tainted_) {
+       request_.headers.SetHeader(net::HttpRequestHeaders::kOrigin,
+                                  url::Origin().Serialize());