Feat: Rework of trusted URI origins and introduction of SecurityPolicy#244
Merged
AnnaSasDev merged 11 commits intocorefrom Apr 16, 2026
Merged
Conversation
- Extend `CppWebMessageReceivedDelegate` to include origin parameter. - Introduce `InfiniFrameWebMessageContext` for managing the current message origin across threads. - Add origin validation and trust checks in `InfiniFrameWebViewManager`. - Implement stricter URI scheme checks in `OpenExternalTargetWebMessageHandler` and `Load` methods. - Enhance native platform handlers (Windows, Linux, macOS) to pass message origin.
- Add null/empty and URL parsing checks with detailed warnings. - Implement origin and schema validation for trusted requests. - Sanitize incoming URLs by removing query/fragment components. - Log warnings for rejected requests and missing web content.
…me validation - Added `InfiniFrameUriSecurityPolicy` to centralize URI security rules. - Replaced hardcoded trust and scheme checks with configurable policies. - Updated `InfiniFrameWebViewManager` and message handlers to use policy-based validation. - Introduced fluent API extensions to configure allowed navigation and external schemes. - Added unit tests to validate policy behavior and default configurations.
3 tasks
- Refactor `InfiniFrameWebViewManager` to use policy-based trusted origin validation. - Extend `InfiniFrameUriSecurityPolicy` to support multiple trusted origins with fluent API. - Introduce `IsTrustedOrigin` and `WithTrustedOrigins` methods for flexible origin configuration. - Add unit tests for validating trusted origin behavior and builder extensions.
3 tasks
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…eption handling, and interface additions - Reorganize BlazorWebView namespaces for clarity (`InfiniFrame.Blazor` → `InfiniFrame.BlazorWebView`). - Introduce `IInfiniFrameUnhandledExceptionSource` interface for exception handling registration. - Replace `RegisterUnhandledExceptionHandler` logic with cleaner, disposable-based pattern. - Add `AppDomainUnhandledExceptionSource` implementation to manage global exception handling. - Enhance `InfiniFrameBlazorAppBuilder` to utilize dependency injection for unhandled exception sources. - Expand unit tests for exception handling, with improved disposal and registration validation.
- Replaced `var` with explicit type declarations for improved readability. - Refactored logger resolution in `InfiniFrameWindowBuilder` with fallback logic and dependency injection support. - Added unit tests to validate logger resolution behavior. - Improved clarity and maintainability across multiple files and test cases.
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
- Introduced `InfiniFrameUriSecurityPolicyTests` to validate trusted origin and scheme behavior. - Added tests for trusted origin configuration, scheme handling, and policy builder extensions. - Increased coverage for window loading and web message context origin handling. - Replaced explicit type declarations with `var` in test cases for consistency.
- Refactor origin fallback logic in `HandleWebMessage` for improved reliability. - Add detailed logging for web message callbacks and origin handling. - Implement more robust origin and request validation in native platform handlers. - Update BlazorWebView JavaScript injection to support additional external messaging APIs. - Add conditional WebResourceRequested handler based on WebView version for improved compatibility. - Improve Cross-Origin Resource Sharing (CORS) headers for `_framework/blazor.modules.json`.
- Introduce `TimeoutException` handling with a 5-second timeout for `_messagePumpTask`. - Log warning messages for timeout scenarios during WebView disposal. - Add new test cases to ensure proper service disposal when the window is already closed. - Improve safety checks in `InfiniFrameWindow::Invoke()` for null callbacks and invalid window handles.
…ling, and window functionalities - Add tests for validating `IsTrustedOrigin` behavior with null values and invalid origins. - Introduce `TriggerableUnhandledExceptionSource` as a test utility for exception handling scenarios. - Add tests for local file URI handling in window load functionality. - Improve coverage for trusted origin registry extensions and exception registration validation.
AnnaSasDev
deleted the
177-bug-harden-loadstring-url-detection-and-input-validation
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #227
Closes #189
Closes #185
Closes #177
Closes #173
Closes #172
Closes #86