fix: disable CORS when webSecurity is disabled (#25463)
This commit is contained in:
parent
a200b15600
commit
993eab691f
2 changed files with 36 additions and 1 deletions
|
@ -1507,10 +1507,11 @@ void ElectronBrowserClient::OverrideURLLoaderFactoryParams(
|
||||||
const url::Origin& origin,
|
const url::Origin& origin,
|
||||||
bool is_for_isolated_world,
|
bool is_for_isolated_world,
|
||||||
network::mojom::URLLoaderFactoryParams* factory_params) {
|
network::mojom::URLLoaderFactoryParams* factory_params) {
|
||||||
// Bypass CORB when web security is disabled.
|
// Bypass CORB and CORS when web security is disabled.
|
||||||
auto it = process_preferences_.find(factory_params->process_id);
|
auto it = process_preferences_.find(factory_params->process_id);
|
||||||
if (it != process_preferences_.end() && !it->second.web_security) {
|
if (it != process_preferences_.end() && !it->second.web_security) {
|
||||||
factory_params->is_corb_enabled = false;
|
factory_params->is_corb_enabled = false;
|
||||||
|
factory_params->disable_web_security = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
extensions::URLLoaderFactoryManager::OverrideURLLoaderFactoryParams(
|
extensions::URLLoaderFactoryManager::OverrideURLLoaderFactoryParams(
|
||||||
|
|
|
@ -246,6 +246,40 @@ describe('web security', () => {
|
||||||
await p;
|
await p;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('engages CORS when web security is not disabled', async () => {
|
||||||
|
const w = new BrowserWindow({ show: false, webPreferences: { webSecurity: true, nodeIntegration: true } });
|
||||||
|
const p = emittedOnce(ipcMain, 'response');
|
||||||
|
await w.loadURL(`data:text/html,<script>
|
||||||
|
(async function() {
|
||||||
|
try {
|
||||||
|
await fetch('${serverUrl}');
|
||||||
|
require('electron').ipcRenderer.send('response', 'passed');
|
||||||
|
} catch {
|
||||||
|
require('electron').ipcRenderer.send('response', 'failed');
|
||||||
|
}
|
||||||
|
})();
|
||||||
|
</script>`);
|
||||||
|
const [, response] = await p;
|
||||||
|
expect(response).to.equal('failed');
|
||||||
|
});
|
||||||
|
|
||||||
|
it('bypasses CORS when web security is disabled', async () => {
|
||||||
|
const w = new BrowserWindow({ show: false, webPreferences: { webSecurity: false, nodeIntegration: true } });
|
||||||
|
const p = emittedOnce(ipcMain, 'response');
|
||||||
|
await w.loadURL(`data:text/html,<script>
|
||||||
|
(async function() {
|
||||||
|
try {
|
||||||
|
await fetch('${serverUrl}');
|
||||||
|
require('electron').ipcRenderer.send('response', 'passed');
|
||||||
|
} catch {
|
||||||
|
require('electron').ipcRenderer.send('response', 'failed');
|
||||||
|
}
|
||||||
|
})();
|
||||||
|
</script>`);
|
||||||
|
const [, response] = await p;
|
||||||
|
expect(response).to.equal('passed');
|
||||||
|
});
|
||||||
|
|
||||||
it('does not crash when multiple WebContent are created with web security disabled', () => {
|
it('does not crash when multiple WebContent are created with web security disabled', () => {
|
||||||
const options = { show: false, webPreferences: { webSecurity: false } };
|
const options = { show: false, webPreferences: { webSecurity: false } };
|
||||||
const w1 = new BrowserWindow(options);
|
const w1 = new BrowserWindow(options);
|
||||||
|
|
Loading…
Reference in a new issue