Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: bypass CORB when web security is disabled #15737

Merged
merged 2 commits into from Nov 21, 2018

Conversation

Projects
None yet
5 participants
@deepak1556
Copy link
Member

commented Nov 16, 2018

Description of Change

This temporarily adds a patch for disabling CORB checks for pre network service code path, things would be easier to solve once we get to implement ContentBrowserClient::CreateURLLoaderFactoryForNetworkRequests

Fixes #15132

Checklist

  • PR description included and stakeholders cc'd
  • npm test passes
  • tests are changed or added
  • relevant documentation is changed or added
  • PR title follows semantic commit guidelines

Release Notes

Notes: Disable CORB checks when web security preference is disabled

@zcbenz

zcbenz approved these changes Nov 16, 2018

Copy link
Member

left a comment

Looks good to me as a temporary fix.

@nornagon
Copy link
Contributor

left a comment

It looks like this should be implementable without patching through the --disable-web-security switch?

@BinaryMuse

This comment has been minimized.

Copy link
Member

commented Nov 20, 2018

It looks like this should be implementable without patching through the --disable-web-security switch?

That disables it for the entire app rather than a single BrowserWindow, correct?

@nornagon

This comment has been minimized.

Copy link
Contributor

commented Nov 20, 2018

It looks like this should be implementable without patching through the --disable-web-security switch?

That disables it for the entire app rather than a single BrowserWindow, correct?

ah, yes, you're right.

One more try for a patchless fix: could we leverage this code from CrossSiteDocumentResourceHandler::ShouldBlockBasedOnHeaders()?

  // Give embedder a chance to skip document blocking for this response.
  const char* initiator_scheme_exception =
      GetContentClient()
          ->browser()
          ->GetInitatorSchemeBypassingDocumentBlocking();

  // Delegate most decisions to CrossOriginReadBlocking::ResponseAnalyzer.
  analyzer_ =
      std::make_unique<network::CrossOriginReadBlocking::ResponseAnalyzer>(
          *request(), response, initiator_scheme_exception);
  if (analyzer_->ShouldAllow())
    return false;
@deepak1556

This comment has been minimized.

Copy link
Member Author

commented Nov 20, 2018

@nornagon that was my initial approach but its less generic and has a scheme based bypass. We can't easily make it compatible with our current webPreferences option, will have get the scheme of every navigation request using ResoureDispatcherHostDelegate, match process preference and finally add them to exception list, not worth the effort. This patch will only be short lived until network service is enabled.

@deepak1556 deepak1556 referenced this pull request Nov 21, 2018

Open

Enabling network service #15791

4 of 16 tasks complete

@deepak1556 deepak1556 force-pushed the web_security_corb_patch branch from b179c93 to 6f15379 Nov 21, 2018

@ckerr ckerr added target/4-0-x and removed target/4-0-x labels Nov 21, 2018

@ckerr

This comment has been minimized.

Copy link
Member

commented Nov 21, 2018

This still needs to be backported to 4-0-x in order to come down off the 4.0.x project board

@ckerr ckerr merged commit 9e8b26c into master Nov 21, 2018

27 of 28 checks passed

Backportable? - 4-0-x Cancelled
Details
Absolute Zero
Artifact Comparison No Changes
Details
Semantic Pull Request ready to be squashed
Details
WIP Legacy commit status override — see details
Details
appveyor: win-ia32-debug AppVeyor build succeeded
Details
appveyor: win-ia32-testing AppVeyor build succeeded
Details
appveyor: win-ia32-testing-pr AppVeyor build succeeded
Details
appveyor: win-x64-debug AppVeyor build succeeded
Details
appveyor: win-x64-testing AppVeyor build succeeded
Details
appveyor: win-x64-testing-pr AppVeyor build succeeded
Details
ci/circleci: linux-arm-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-arm-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-arm64-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-arm64-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-checkout Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-testing-tests Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-testing-tests Your tests passed on CircleCI!
Details
electron-arm-testing Build #20181121.13 succeeded
Details
electron-arm64-testing Build #20181121.13 succeeded
Details
electron-lint Build #20181121.14 succeeded
Details
electron-mas-testing Build #20181121.12 succeeded
Details
electron-osx-testing Build #20181121.10 succeeded
Details
release-notes Release notes found
@release-clerk

This comment has been minimized.

Copy link

commented Nov 21, 2018

Release Notes Persisted

Disable CORB checks when web security preference is disabled

@ckerr ckerr deleted the web_security_corb_patch branch Nov 21, 2018

ckerr added a commit that referenced this pull request Nov 21, 2018

fix: bypass CORB when web security is disabled (#15737)
Manual backport of `web_security_corb_patch` from `master`.
See #15737 for details.

@ckerr ckerr referenced this pull request Nov 21, 2018

Merged

fix: bypass CORB when web security is disabled (#15737) #15801

2 of 3 tasks complete

ckerr added a commit that referenced this pull request Nov 22, 2018

fix: bypass CORB when web security is disabled (#15737) (#15801)
Manual backport of `web_security_corb_patch` from `master`.
See #15737 for details.

bcpete added a commit to bcpete/electron that referenced this pull request Apr 18, 2019

fix: bypass CORB when web security is disabled (electron#15737)
* fix: extend content layer hook to bypass corb when web security is disabled.

* chore: add patch to disable CORB
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.