Skip to content

fix: ensure corsEnabled: false protocol handlers do not work across protocols (40-x-y)#51271

Merged
ckerr merged 3 commits into
40-x-yfrom
manual-bp/51152/40-x-y
Apr 23, 2026
Merged

fix: ensure corsEnabled: false protocol handlers do not work across protocols (40-x-y)#51271
ckerr merged 3 commits into
40-x-yfrom
manual-bp/51152/40-x-y

Conversation

@MarshallOfSound
Copy link
Copy Markdown
Member

@MarshallOfSound MarshallOfSound commented Apr 23, 2026

Manual backport of #51152 to 40-x-y.

See that PR for details.

Notes: Ensured cross-origin fetch() and XHR are blocked for custom protocols registered with supportFetchAPI: true unless corsEnabled: true is also set; cross-origin mode: 'no-cors' requests now receive an opaque response.

@MarshallOfSound MarshallOfSound added backport This is a backport PR semver/patch backwards-compatible bug fixes 40-x-y labels Apr 23, 2026
@trop trop Bot mentioned this pull request Apr 23, 2026
Merged
5 tasks
@codebytere codebytere force-pushed the manual-bp/51152/40-x-y branch from 41cd3ce to 10f91f4 Compare April 23, 2026 12:50
MarshallOfSound and others added 2 commits April 23, 2026 14:12
@MarshallOfSound @ckerr
fix: ensure corsEnabled: false protocol handlers do not work across p…
a67c237 
…rotocols (#51152)

* fix: ensure corsEnabled: false protocol handlers do not work across protocols

Subresource requests for registered custom protocols are routed to
ElectronURLLoaderFactory via the renderer's per-scheme URLLoaderFactoryBundle
entry, which bypasses the network service's CorsURLLoaderFactory. This meant a
cross-origin page could fetch() a scheme registered with {supportFetchAPI: true}
and read the response body even when {corsEnabled: true} was not set.

Replicate CorsURLLoader::StartRequest's kCorsDisabledScheme gate in
ElectronURLLoaderFactory::CreateLoaderAndStart so cross-origin mode=cors
requests to such schemes fail before the JS handler runs, and tag cross-origin
mode=no-cors responses as opaque so the body is not script-readable while <img>
and similar subresource loads continue to work.

Re-enable the long-disabled "disallows CORS and fetch requests when only
supportFetchAPI is specified" test, add coverage for the opaque/no-cors,
same-origin, handler-not-invoked, corsEnabled-unaffected and net.fetch-unaffected
cases, and migrate spec helpers that were exercising a {supportFetchAPI: true}
scheme cross-origin to a corsEnabled scheme.

* chore: oxfmt

(cherry picked from commit 92f0993)
@codebytere @ckerr
chore: fix build
7749395
@ckerr ckerr force-pushed the manual-bp/51152/40-x-y branch from 10f91f4 to 7749395 Compare April 23, 2026 19:13
@ckerr
Copy link
Copy Markdown
Member

ckerr commented Apr 23, 2026

rebased to get past the Error: Can't find 'action.yml', 'action.yaml' or 'Dockerfile' error

@ckerr ckerr merged commit ab55d24 into 40-x-y Apr 23, 2026
61 checks passed
@ckerr ckerr deleted the manual-bp/51152/40-x-y branch April 23, 2026 21:29
@release-clerk
Copy link
Copy Markdown

release-clerk Bot commented Apr 23, 2026

Release Notes Persisted

Ensured cross-origin fetch() and XHR are blocked for custom protocols registered with supportFetchAPI: true unless corsEnabled: true is also set; cross-origin mode: 'no-cors' requests now receive an opaque response.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ckerr ckerr ckerr approved these changes

@VerteDinde VerteDinde VerteDinde approved these changes

Assignees

No one assigned

Labels

40-x-y backport This is a backport PR semver/patch backwards-compatible bug fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@MarshallOfSound @ckerr @VerteDinde @codebytere