fix: disable CORS when webSecurity is disabled (#25463)

This commit is contained in:
Cheng Zhao 2020-09-17 06:55:53 +09:00 committed by GitHub
parent a200b15600
commit 993eab691f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 36 additions and 1 deletions

View file

@ -1507,10 +1507,11 @@ void ElectronBrowserClient::OverrideURLLoaderFactoryParams(
const url::Origin& origin,
bool is_for_isolated_world,
network::mojom::URLLoaderFactoryParams* factory_params) {
// Bypass CORB when web security is disabled.
// Bypass CORB and CORS when web security is disabled.
auto it = process_preferences_.find(factory_params->process_id);
if (it != process_preferences_.end() && !it->second.web_security) {
factory_params->is_corb_enabled = false;
factory_params->disable_web_security = true;
}
extensions::URLLoaderFactoryManager::OverrideURLLoaderFactoryParams(

View file

@ -246,6 +246,40 @@ describe('web security', () => {
await p;
});
it('engages CORS when web security is not disabled', async () => {
const w = new BrowserWindow({ show: false, webPreferences: { webSecurity: true, nodeIntegration: true } });
const p = emittedOnce(ipcMain, 'response');
await w.loadURL(`data:text/html,<script>
(async function() {
try {
await fetch('${serverUrl}');
require('electron').ipcRenderer.send('response', 'passed');
} catch {
require('electron').ipcRenderer.send('response', 'failed');
}
})();
</script>`);
const [, response] = await p;
expect(response).to.equal('failed');
});
it('bypasses CORS when web security is disabled', async () => {
const w = new BrowserWindow({ show: false, webPreferences: { webSecurity: false, nodeIntegration: true } });
const p = emittedOnce(ipcMain, 'response');
await w.loadURL(`data:text/html,<script>
(async function() {
try {
await fetch('${serverUrl}');
require('electron').ipcRenderer.send('response', 'passed');
} catch {
require('electron').ipcRenderer.send('response', 'failed');
}
})();
</script>`);
const [, response] = await p;
expect(response).to.equal('passed');
});
it('does not crash when multiple WebContent are created with web security disabled', () => {
const options = { show: false, webPreferences: { webSecurity: false } };
const w1 = new BrowserWindow(options);