Skip to content

fix: webRequest.onBeforeSendHeaders not being able to modify reserved headers#49226

Merged
MarshallOfSound merged 2 commits intomainfrom
sam/fix-net-headers
Dec 19, 2025
Merged

fix: webRequest.onBeforeSendHeaders not being able to modify reserved headers#49226
MarshallOfSound merged 2 commits intomainfrom
sam/fix-net-headers

Conversation

@MarshallOfSound
Copy link
Copy Markdown
Member

@MarshallOfSound MarshallOfSound commented Dec 17, 2025
edited
Loading

Fix webRequest.onBeforeSendHeaders not being able to modify headers like Proxy-Authorization for requests made via the net module.

When using webRequest.onBeforeSendHeaders to inject headers like Proxy-Authorization into requests made via net.request or net.fetch, the request fails with net::ERR_INVALID_ARGUMENT. However, the same webRequest listener works correctly for renderer-initiated requests (e.g., fetch() from a BrowserWindow). The network service validates headers and headers starting with Proxy- are rejected by AreRequestHeadersSafe() in CorsURLLoaderFactory::IsValidRequest().

For renderer requests, this isn't a problem because:

  1. The initial request passes validation (no Proxy-Authorization header yet)
  2. Header modifications via webRequest happen through the TrustedHeaderClient callback, which occurs after validation
  3. Modified headers are passed directly to the network layer, bypassing re-validation

For net module requests, the TrustedHeaderClient path was not being used because network_service_request_id was always 0. This caused header modifications to go through the FollowRedirect() path instead, which re-validates headers with AreRequestHeadersSafe() and rejects Proxy-* headers.

The condition that gates TrustedHeaderClient usage (in proxying_url_loader_factory.cc):

current_request_uses_header_client_ =
    factory_->url_loader_header_client_receiver_.is_bound() &&
    (for_cors_preflight_ || network_service_request_id_ != 0) &&
    has_any_extra_headers_listeners_;

Solution

Set a non-zero request ID for net module requests using Chromium's GlobalRequestID::MakeBrowserInitiated(). This generates unique negative request IDs (-2, -3, -4, ...) that are distinct from renderer request IDs (positive numbers). This is the same mechanism Chromium uses internally for other browser-initiated requests.

Setting Proxy-Authorization directly in the net.fetch options will still fail, as the header would be present in the initial request before validation. The header must be injected via webRequest.onBeforeSendHeaders to use the TrustedHeaderClient path.

Notes: Requests sent via net are now capable of having their headers modified to use reserved headers via webRequest

@electron-cation electron-cation bot added the new-pr 🌱 PR opened recently label Dec 17, 2025
deepak1556
deepak1556 approved these changes Dec 17, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@deepak1556 deepak1556 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks!

@deepak1556 deepak1556 added semver/patch backwards-compatible bug fixes target/39-x-y PR should also be added to the "39-x-y" branch. target/40-x-y PR should also be added to the "40-x-y" branch. labels Dec 17, 2025
@electron-cation electron-cation bot removed the new-pr 🌱 PR opened recently label Dec 18, 2025
@MarshallOfSound MarshallOfSound merged commit 3df3a6a into main Dec 19, 2025
109 of 111 checks passed
@MarshallOfSound MarshallOfSound deleted the sam/fix-net-headers branch December 19, 2025 10:08
@release-clerk
Copy link
Copy Markdown

release-clerk bot commented Dec 19, 2025

Release Notes Persisted

Requests sent via net are now capable of having their headers modified to use reserved headers via webRequest

This was referenced Dec 19, 2025
Merged
Merged
@trop
Copy link
Copy Markdown
Contributor

trop bot commented Dec 19, 2025

I have automatically backported this PR to "40-x-y", please check out #49241

@trop trop bot added in-flight/40-x-y and removed target/40-x-y PR should also be added to the "40-x-y" branch. labels Dec 19, 2025
@trop
Copy link
Copy Markdown
Contributor

trop bot commented Dec 19, 2025

I have automatically backported this PR to "39-x-y", please check out #49242

@trop trop bot added in-flight/39-x-y and removed target/39-x-y PR should also be added to the "39-x-y" branch. labels Dec 19, 2025
@trop trop bot added merged/39-x-y PR was merged to the "39-x-y" branch. merged/40-x-y PR was merged to the "40-x-y" branch. and removed in-flight/39-x-y in-flight/40-x-y labels Jan 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deepak1556 deepak1556 deepak1556 approved these changes

@codebytere codebytere codebytere approved these changes

Assignees

No one assigned

Labels

merged/39-x-y PR was merged to the "39-x-y" branch. merged/40-x-y PR was merged to the "40-x-y" branch. semver/patch backwards-compatible bug fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MarshallOfSound @deepak1556 @codebytere