-
Notifications
You must be signed in to change notification settings - Fork 15.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add session.setCorsOriginAccessList API #24849
Conversation
💖 Thanks for opening this pull request! 💖 We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix. Examples of commit messages with semantic prefixes:
Things that will help get your PR across the finish line:
We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can. |
The main issue we're trying to solve here is that |
Any reason you can't register another custom protocol that handles file paths ? what is the reason behind mixing file uri and custom protocol in the app ? |
That's what I'm currently using, but it has some limitations and complications when we render end-user generated contents. It would be extremely convenient if For context, we render markdown content created by end users. We'd like to support
I imagine it's possible to work around these issues with an HTML post processor that replaces There's currently another bug which I have not yet filed, where
If I understand correctly, custom protocol provides many advantages over file:/// for serving app resources:
|
I'd like to add that while workarounds do exist, such as another custom protocol for files, developers using Electron are incentivized to take the easy route and just set Most people don't really think about the implications of turning off webSecurity, other than that it enables the desired functionality. By principle we should provide a safer way to access/embed local resources. |
Thanks for the added context, really helps!
I think it should be hard to configure bad custom schemes in electron, if the api were to make With the above conditions, an example |
I think that should be fine for most use cases. I imagine in the most common case, it would disallow
That's interesting, definitely something I wasn't aware of. I must have missed some of the checks when browsing the code (please excuse my first time working with chromium source; would also appreciate if you can give some pointers to how chromium checks for such an invalid scheme).
Given your insight that While digging, another possible solution I think could work is calling |
that sounds better providing more finer control, it can be a new api on session module. I think the api works well with empty hosts and |
Sure, I'll give it a try. Thanks for the tip! |
Sorry for the delay - I haven't been able to get Electron to build. After several attempts it seems to constantly get stuck on Is there any resources I can look for to debug this issue? |
you can run the ninja command with |
My VM has 16GB RAM, not sure if that's enough, I'll reboot it with 48GB after to see. In my search, I found this thread https://groups.google.com/a/chromium.org/d/msg/chromium-dev/0g7D-ubb87c/dbpGxBSoBQAJ where this user ran into something similar.
I've restarted with |
Is it still stuck at that step after you ran it manually ? Can you try removing that file and re-try again. |
That's right, I've tried a couple of times removing that file and resuming build - suspecting it may be a hardware issue, I'm formatting a new SSD to install a fresh OS and setup from scratch. Will report back once that's done. |
I figured it out (it was a hard drive issue) and I'm now able to build & run. Quick question while I'm at it: |
I've also confirmed that the
blink::WebURL webUrl(GURL("app://./"));
blink::WebSecurityPolicy::AddOriginAccessAllowListEntry(
webUrl, "file", "",
network::mojom::CorsDomainMatchMode::kAllowSubdomains,
network::mojom::CorsPortMatchMode::kAllowAnyPort,
network::mojom::CorsOriginAccessMatchPriority::kDefaultPriority
); There's a few sanitization I'll need to perform (ex: input url must contain host) to avoid crashes, but adding this indeed solves the |
After much exploring in the source code, it still seems the only place that uses WebSecurityPolicy is from
I haven't yet found a good example of an Electron API that accesses something similar from the main process. I'm hoping someone can point me to one such example so I can |
Sorry for the delayed response Yes Currently we have protocol module which configures something similar on the renderer side via RegisterSchemeAsPrivileged through command line ElectronBrowserClient::AppendExtraCommandLineSwitches Reason I asked the api to be on session is because the origin list can be shared across different webContents using similar session. Also we don't want this api on the renderer side (for ex: via webFrame) because the renderer contents can be untrusted and should not get access to this powerful api. For this particular api the CORS check is eventually performed by the network service process https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/platform/weborigin/security_policy.cc;l=58 , so we don't have to pass this to the renderer and call the WebSecurityPolicy api. There is way to configure the origin list per network context via the context create param https://source.chromium.org/chromium/chromium/src/+/master:services/network/public/mojom/network_context.mojom;l=429 , all we need to do is setup ElectronBrowserContext::GetSharedCorsOriginAccessList and the session module api can call SharedCorsOriginAccessList::SetForOrigin |
Since this api might require a patch to |
Sorry for the lack of activity - shifting priorities. Though I'll get back to more experimenting and come up with a new commit soon. Thanks again for all the assistance. |
Ok so I've hooked up a method in the session API that calls If I understand the code correctly, This doesn't seem to do anything in my testing just yet, so I'm not too sure what the next step is. Perhaps I should gather and commit my changes just so we can look at them? Let me know. |
Yup it would be better to push your changes, thanks! |
The API is still there just for testing purpose, will change it to whatever makes sense once the team approves the method and agrees on an API design. |
I haven't gotten around to this PR yet, will have a look at the implementation tomorrow. Thanks! |
Oops wrong branch... Sorry about that |
Quick ping and also to clarify this code doesn't actually achieve the intended behavior just yet. I have not yet find out why that is. |
The @electron/wg-api reviewed this at the August 24, 2020 meeting. |
Thank you for the response. It's understandable given you guys have a lot on your plates! Let me know if there's anything I can do to help 😄 |
@lishid i have cleaned up the PR a bit, the api now looks like await session.setCorsOriginAccessList(
"custom://abc/hello.html",
[ "https://*.github.com/*", "*://electron.github.io", "file" ], /* allow list */
[ "http://*/*" ] /* block list */); can you work on writing some tests and adding documentation, so that it can be reviewed again by api-wg next week. Thanks! |
Will do, thanks! |
Just added docs, will work on tests tomorrow when my updated sources builds all 14k files again 😂 |
Hey, is this PR moving on? |
Doesn't seem like the API has been reviewed a second time yet, probably fallen through the cracks - @jkleinsc any updates? |
Hey @deepak1556 @jkleinsc is there anything we can do to push this PR forward? IMO it's still a serious security issue for Electron because a lot of Electron apps use |
@lishid there are a couple things that are needed for this PR to move forward:
|
I could not run lint because I don't see any instructions for cpplint anywhere in any of these docs pages either:
Saw a package named cpplint on pip but not sure if that's compatible with the current python 2.7 setup. Please advise. EDIT: I got access to the CI lint results instead! |
@deepak1556 I seem to be getting an exception for "conversion failure from" (there's nothing after "from") when I specify the allow list to be |
@deepak1556 Upon further debugging, I believe that the @jkleinsc Given this scenario, I'd propose a new API inspired by I'd argue that making this API more general purpose (i.e. not just allowing access to |
@lishid Do you mean |
@zcbenz That is mostly correct. In my experiments, only applying the WebSecurityPolicy API directly from the renderer's side had an impact over the In addition, in my testing, I was able to allow access to EDIT: I want to clarify that Some more observations that may be relevant:
When I traced through the specific error message in Chromium's source, it seemed to be produced through a code path that had very basic checks, which was specially coded for protocols marked as |
Thanks for explaining, I'm good with either But if we go with |
Sounds good. I will attempt a prototype with just |
@lishid is this PR still something you're planning on pursuing? |
Yeah... I haven't had time to follow up but it should definitely be implemented at some point so that people don't just turn off |
@lishid do you have any updates on the PR? |
Apologies, I still have my hands full and haven't been able to make any progress. Feel free to close until someone more capable can implement this. |
I'm going to close this for now as there's not been much activity lately. If there's renewed interest in this we can open a new PR. |
Description of Change
Summary: A new "local" scheme privilege is added, which grants access to file:// resources without needing to disable webSecurity.
Rationale:
secure
cannot access files from thefile:///
protocol.webSecurity: false
. Things I've tried:registerFileProtocol('file'...)
interceptFileProtocol('file'...)
session.defaultSession.webRequest.onBeforeRequest
webSecurity: false
is not a recommended practice for security purposes by https://www.electronjs.org/docs/tutorial/securityThis PR adds a
local
privilege to scheme registration, which adds the scheme toblink::SchemeRegistry::RegisterURLSchemeAsLocal
.Doing so marks the protocol as local, thus allowing it to access local resources via the pathway:
SecurityOrigin::CanDisplay()
SecurityOrigin::can_load_local_resources_
SecurityOrigin::IsLocal()
Checklist
npm test
passesRelease Notes
Notes: Added "local" scheme privilege, which grants access to file:// without the need to disable webSecurity.