New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blocked a frame with origin "file://" from accessing a cross-origin frame #19789
Comments
Can we get a feedback about this please? It's blocking us to use latest versions of electron. Thanks a lot |
Any feedback on this issue? |
I haven't looked in detail, but it seems that the problem could have been introduced by #18614. |
Unique |
@MarshallOfSound This is a scenario where the electron app is opening a second window using window.open function. The origin is the same on both windows. This is a false match for a cross origin issue since all files are under the electron app itself. Please take a look at the attached sample application to see the problem. |
@rpastro This is not a false match. As I explained different |
@MarshallOfSound Regarding the comparison with the browser. This would be equivalent to a web application opening another window for a different page in the same domain, which is allowed and we are actually using in our web application. |
@MarshallOfSound How can I use a different protocol than file:// to load a page that is packaged together with the electron app itself? Again, this has always been allowed in electron and it was broken in v5.0.4. The rules for file:// protocol should follow the same rules as other protocols and should consider the 'domain' itself. For an electron app the domain would be all files packaged as part of the app (i.e domain is __dirname) |
No it's not the same, it's on the
No... They shouldn't. I'm sorry but the |
@MarshallOfSound regarding your suggestion. Are you saying that I would not have the CORS . issue if I create a custom protocol that has the same effect as the file:// protocol, similar to the example in https://electronjs.org/docs/api/protocol? I'm assuming this also means that I would have to load all my windows using this custom protocol. |
I am also struggling with cross-origin issues. Am I right in thinking that if you want different windows of your application to work together you have to be running a webserver alongside electron? I looked at the protocol api, but it doesn't really explain how to use protocols once you've set them up. |
I've come to realize that if you have multiple windows, the proper way to communicate between them is by using the main process as a liason. This can be done through IPC. This would mean that you'd also have to initiate each window through the main process (again, can be done through IPC). My particulars are a bit different as I have a parent window and an iframe, so there is no main process between them. However, I have found a solution that allows for cross-origin communication: Window.postMessage. |
Related: #18214 |
@MarshallOfSound, in any case, if it relates to security, there is an security issue in electron. Without main window reload, my desired behavior is working (each even reload change result). So you need pay attention to it. But honestly I didn't understand how behavior of chromium is changed within electron version change from 5.0.3 to 5.0.4. I hope that this could become like feature that is disabled by default. I guess load files stored in same asar archive has nothing common with tab isolation solving Spectre vulnerability and could be treated as same origin. There is no way now to have simple communication layer parent-child to grab some classes/methods/data. |
@MarshallOfSound should different file:// paths be able to share localStorage? I'm seeing that they are indeed able to read each other's values: #21260 |
If somebody is looking for workaround, I found a solution:
|
use the electron protocol.registerSchemesAsPrivileged. eg: customFileProtocol app://. It's can be solved. https://www.electronjs.org/docs/latest/api/protocol#protocolregisterschemesasprivilegedcustomschemes eg: https://nklayman.github.io/vue-cli-plugin-electron-builder/ It.s use protocol.registerSchemesAsPrivileged |
@chenweihan thanks a lot ! this solution worked for me 😺 |
Issue Details
Expected Behavior
When I use native chrome window.open function, I'd like to have windows communication way using window.opener.
Actual Behavior
When I try to access data stored in parent window, I got security error:
No matter both windows origin is 'file:'.
To Reproduce
Sample in attachments
To reproduce:
Reload document (cmd+R)
Click "New child window"
Observe child window console
electron-quick-start.zip
The text was updated successfully, but these errors were encountered: