-
Notifications
You must be signed in to change notification settings - Fork 15.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: don't bypass redirect checks #35357
Conversation
Originally added in #19338 We have a comment about not performing redirect checks
@zcbenz do you remember why redirect checks were skipped ? Seems like current test suite passes when checks are enabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was some limitation in chromium network code that only a few hard-coded url schemes can be redirected to, which broke custom schemes in Electron. But if the tests are passing with the the bypass removed, then the limitation should have been gone.
No Release Notes |
I have automatically backported this PR to "21-x-y", please check out #35366 |
I have automatically backported this PR to "18-x-y", please check out #35367 |
I have automatically backported this PR to "20-x-y", please check out #35368 |
I have automatically backported this PR to "19-x-y", please check out #35369 |
This has broken some behavior for us, a 302 redirect from is it possible to revert to the original behavior with a flag? Tried |
@KishanBagaria can you expand on why you need that redirect to work? You should be able to work around it if you need by detecting the redirect in the main process and manually loading the new URL I think. |
We run a localhost server (in a Another route redirects to a file: URI. Altho it's possible to use |
@KishanBagaria why are using localhost server for page load instead of custom protocol ? Custom protocol are powerful enough to support any resource scenario and also will help you align with the security checks of chromium. |
@deepak1556 we run a worker_thread to not block the CPU and electron APIs (for custom protocol) aren't available there. Edit: for more context, we don't load regular HTML pages with the localhost server. There's a HTTP asset route that dynamically loads data and either returns a buffer or redirects to the file:// URI if the asset is cached on disk. We could use a file proxy route that does |
Redirecting from |
@zcbenz the change in behavior is intentional and this change should not be reverted |
We're going to be stuck on an older Electron version bc of this for a while and I'm sure more silent people will be too. I think having a flag (perhaps global) would be better than reverting for all since it's for security. |
Can't prove it, but the usecase of redirecting to a data / file URI from an http server must be beyond edge-case. You shouldn't even be running a localhost server in your electron app anyway let alone violating web standards and serving up that redirect. The workaround is a small refactor (serving the data uri contents directly or streaming the file). I don't support exposing a flag for this and we will not be reverting it. |
@KishanBagaria in your case the dynamic asset which you want to serve from disk can instead be provided via a custom protocol with Also, protocol handlers which delegate to chromium are usually non-expensive code paths, but if you see them blocking the main process then please measure it and file an issue, we can look into it. Thanks! |
Thanks, will look into that. I'll make the http server in worker thread redirect to fileproxy: instead of file: and register fileproxy: custom protocol to redirect to file: / serve file. (Edit: can confirm this works well) Fwiw, WKWebView also has the same restriction for http: to file: redirects but not for http: to data: redirects. |
This example works on "19.0.13" I found that other people had similar problems |
Description of Change
Remove unneeded bypass of redirect checks when creating URL loader factories.
Checklist
npm test
passesRelease Notes
Notes: none