Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: make grant_file_protocol_extra_privileges fuse also block CORS fetches #40801

Merged
merged 1 commit into from Jan 2, 2024
Merged

fix: make grant_file_protocol_extra_privileges fuse also block CORS fetches #40801

merged 1 commit into from Jan 2, 2024

Conversation

nornagon
Copy link
Member

Description of Change

This adds new testing infrastructure for fuses, and uses it to add a test for
the grant_file_protocol_extra_privileges fuse. Also, fix a bug with the
implementation of that fuse.

Checklist

Release Notes

Notes: Fixed the GrantFileProtocolExtraPrivileges not correctly preventing fetch() calls to file:// URLs.

@nornagon nornagon added security 🔒 semver/patch backwards-compatible bug fixes target/29-x-y PR should also be added to the "29-x-y" branch. labels Dec 20, 2023
@electron-cation electron-cation bot added new-pr 🌱 PR opened in the last 24 hours and removed new-pr 🌱 PR opened in the last 24 hours labels Dec 20, 2023
MUSHONGORE

This comment was marked as spam.

Sign in to view

VerteDinde
VerteDinde approved these changes Jan 2, 2024
View reviewed changes
Copy link
Member

@VerteDinde VerteDinde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, left one non-blocking question 🙂

shell/browser/protocol_registry.cc
// after this call, it won't override our asar factory, but if asar support
// breaks in future, please check if Chromium has changed the call.
factories->emplace(url::kFileScheme, AsarURLLoaderFactory::Create());
if (electron::fuses::IsGrantFileProtocolExtraPrivilegesEnabled()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since all of this logic is moved behind a fuse now, could this potentially break any existing implementations? Only asking because I wonder if we should call it out in breaking changes if so

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fuse defaults to being enabled, so behavior without touching the fuse should be unchanged

@nornagon nornagon merged commit be4e4ff into main Jan 2, 2024
24 checks passed
@nornagon nornagon deleted the fix-file-fuse branch January 2, 2024 21:06
@release-clerk Release Clerk
Copy link

release-clerk bot commented Jan 2, 2024

Release Notes Persisted

Fixed the GrantFileProtocolExtraPrivileges not correctly preventing fetch() calls to file:// URLs.

@trop trop bot mentioned this pull request Jan 2, 2024
Merged
@trop
Copy link
Contributor

trop bot commented Jan 2, 2024

I have automatically backported this PR to "29-x-y", please check out #40864

@trop trop bot added in-flight/29-x-y merged/29-x-y PR was merged to the "29-x-y" branch. and removed target/29-x-y PR should also be added to the "29-x-y" branch. in-flight/29-x-y labels Jan 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MUSHONGORE MUSHONGORE MUSHONGORE left review comments

@VerteDinde VerteDinde VerteDinde approved these changes

Assignees
No one assigned
Labels
merged/29-x-y PR was merged to the "29-x-y" branch. security 🔒 semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nornagon @VerteDinde @MUSHONGORE