[Bug]: Electron crashes when loading <iframe> from custom URL protocol

[aless2]

Preflight Checklist

• I have read the Contributing Guidelines for this project.
• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for a bug report that matches the one I want to file, without success.

Electron Version

20.1.0

What operating system are you using?

Windows

Operating System Version

Windows 10

What arch are you using?

x64

Last Known Working Electron version

No response

Expected Behavior

I want to load an iframe from a custom:// url protocol inside my main window.

<iframe src="custom://test.html">

Actual Behavior

Application crashes when using custom:// url protocol. The protocol is registered with protocol.registerFileProtocol(). When loading the exact same file with the file:// protocol, everything is OK.

Testcase Gist URL

https://gist.github.com/75a34a8f7177e616146a8e5f1f4edddc

Additional Information

The same issue hase also been observed on Ubuntu 20.04

[Prinzhorn]

https://github.com/electron/electron/search?q=iframe+custom+protocol+crash&type=issues
#28407
Sounds very much related or identical

[aless2]

Yes, this looks pretty much the same. If I register another custom protocol (custom2://) and load the main frame with mainWindow.loadURL("custom2://index.html"), then <iframe> is successfuly loaded. Still, during development, when loading my application main window from development http:// server, this workaround will not work.

[codebytere]

We've seen this same crash in a few other places incl. #28765 - here's the stacktrace:

Stacktrace

[12933:0826/094534.973010:FATAL:navigation_request.cc(6523)] Check failed: policy->CanAccessDataForOrigin(process_id, origin_with_debug_info.first). 
0   Electron Framework                  0x0000000121600b32 base::debug::CollectStackTrace(void**, unsigned long) + 18
1   Electron Framework                  0x0000000121526823 base::debug::StackTrace::StackTrace() + 19
2   Electron Framework                  0x000000012153d4e7 logging::LogMessage::~LogMessage() + 183
3   Electron Framework                  0x000000012153e20e logging::LogMessage::~LogMessage() + 14
4   Electron Framework                  0x000000012069610f content::NavigationRequest::GetOriginForURLLoaderFactoryWithFinalFrameHostWithDebugInfo() + 863
5   Electron Framework                  0x00000001206806bc content::NavigationRequest::CommitNavigation() + 924
6   Electron Framework                  0x000000012068e34b content::NavigationRequest::OnCommitDeferringConditionChecksComplete(content::CommitDeferringCondition::NavigationType, absl::optional<int>) + 187
7   Electron Framework                  0x00000001205a894e content::CommitDeferringConditionRunner::ProcessConditions() + 446
8   Electron Framework                  0x000000012068dbb0 content::NavigationRequest::OnWillProcessResponseChecksComplete(content::NavigationThrottle::ThrottleCheckResult) + 1200
9   Electron Framework                  0x00000001206927b4 content::NavigationRequest::OnWillProcessResponseProcessed(content::NavigationThrottle::ThrottleCheckResult) + 676
10  Electron Framework                  0x0000000120691cf0 content::NavigationRequest::OnNavigationEventProcessed(content::NavigationThrottleRunner::Event, content::NavigationThrottle::ThrottleCheckResult) + 384
11  Electron Framework                  0x00000001206a0bd1 content::NavigationThrottleRunner::ProcessInternal() + 1137
12  Electron Framework                  0x00000001206a0e11 content::NavigationThrottleRunner::ResumeProcessingNavigationEvent(content::NavigationThrottle*) + 289
13  Electron Framework                  0x0000000120692848 content::NavigationRequest::Resume(content::NavigationThrottle*) + 104
14  Electron Framework                  0x00000001202c87af content::protocol::TargetHandler::Session::ResumeIfThrottled() + 95
15  Electron Framework                  0x000000012024038b content::DevToolsSession::DispatchProtocolMessageInternal(crdtp::Dispatchable, base::span<unsigned char const, 18446744073709551615ul>) + 155
16  Electron Framework                  0x00000001202400c5 content::DevToolsSession::DispatchProtocolMessage(base::span<unsigned char const, 18446744073709551615ul>) + 2085
17  Electron Framework                  0x0000000126433aa5 bool (anonymous namespace)::ParseAndHandle<std::Cr::basic_string<char, std::Cr::char_traits<char>, std::Cr::allocator<char>> const&>(base::RepeatingCallback<void (std::Cr::basic_string<char, std::Cr::char_traits<char>, std::Cr::allocator<char>> const&)> const&, base::OnceCallback<void (base::Value const*)>, base::Value::List const&) + 149
18  Electron Framework                  0x000000012643359a base::internal::Invoker<base::internal::BindState<bool (*)(base::RepeatingCallback<void ()> const&, base::OnceCallback<void (base::Value const*)>, base::Value::List const&), base::RepeatingCallback<void ()>>, bool (base::OnceCallback<void (base::Value const*)>, base::Value::List const&)>::Run(base::internal::BindStateBase*, base::OnceCallback<void (base::Value const*)>&&, base::Value::List const&) + 42
19  Electron Framework                  0x0000000126433289 DispatcherImpl::Dispatch(base::OnceCallback<void (base::Value const*)>, std::Cr::basic_string<char, std::Cr::char_traits<char>, std::Cr::allocator<char>> const&, base::Value::List const&) + 137
20  Electron Framework                  0x000000011cb378f1 electron::InspectableWebContents::HandleMessageFromDevToolsFrontend(base::Value::Dict) + 513
21  Electron Framework                  0x000000011cb398a3 void base::internal::FunctorTraits<void (electron::InspectableWebContents::*)(base::Value::Dict), void>::Invoke<void (electron::InspectableWebContents::*)(base::Value::Dict), base::WeakPtr<electron::InspectableWebContents> const&, base::Value::Dict>(void (electron::InspectableWebContents::*)(base::Value::Dict), base::WeakPtr<electron::InspectableWebContents> const&, base::Value::Dict&&) + 131
22  Electron Framework                  0x0000000120a0f42d non-virtual thunk to content::DevToolsFrontendHostImpl::DispatchEmbedderMessage(base::Value::Dict) + 93
23  Electron Framework                  0x000000011dfa6bb8 blink::mojom::DevToolsFrontendHostStubDispatch::Accept(blink::mojom::DevToolsFrontendHost*, mojo::Message*) + 328
24  Electron Framework                  0x000000012192df30 mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) + 1168
25  Electron Framework                  0x0000000121934329 mojo::MessageDispatcher::Accept(mojo::Message*) + 265
26  Electron Framework                  0x000000012192faea mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) + 154
27  Electron Framework                  0x0000000121d5e3d1 IPC::(anonymous namespace)::ChannelAssociatedGroupController::AcceptOnEndpointThread(mojo::Message) + 721
28  Electron Framework                  0x0000000121d5b78c base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, mojo::Message>, void ()>::RunOnce(base::internal::BindStateBase*) + 140
29  Electron Framework                  0x0000000121595faa base::TaskAnnotator::RunTaskImpl(base::PendingTask&) + 314
30  Electron Framework                  0x00000001215bede5 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::sequence_manager::LazyNow*) + 1669
31  Electron Framework                  0x00000001215be27b base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() + 123
32  Electron Framework                  0x00000001215bf5d5 non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() + 21
33  Electron Framework                  0x00000001216162ab base::MessagePumpCFRunLoopBase::RunWork() + 91
34  Electron Framework                  0x0000000121615222 base::mac::CallWithEHFrame(void () block_pointer) + 10
35  Electron Framework                  0x00000001216157ef base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 63
36  CoreFoundation                      0x00007ff80289619b __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
37  CoreFoundation                      0x00007ff802896103 __CFRunLoopDoSource0 + 180
38  CoreFoundation                      0x00007ff802895e7d __CFRunLoopDoSources0 + 242
39  CoreFoundation                      0x00007ff802894898 __CFRunLoopRun + 892
40  CoreFoundation                      0x00007ff802893e5c CFRunLoopRunSpecific + 562
41  HIToolbox                           0x00007ff80b53b5e6 RunCurrentEventLoopInMode + 292
42  HIToolbox                           0x00007ff80b53b34a ReceiveNextEventCommon + 594
43  HIToolbox                           0x00007ff80b53b0e5 _BlockUntilNextEventMatchingListInModeWithFilter + 70
44  AppKit                              0x00007ff8052d31fd _DPSNextEvent + 927
45  AppKit                              0x00007ff8052d18ba -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1394
46  AppKit                              0x00007ff8052c3f69 -[NSApplication run] + 586
47  Electron Framework                  0x0000000121616d3c base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 348
48  Electron Framework                  0x00000001216152d5 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 165
49  Electron Framework                  0x00000001215bfb67 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, base::TimeDelta) + 679
50  Electron Framework                  0x0000000121571673 base::RunLoop::Run(base::Location const&) + 675
51  Electron Framework                  0x0000
00012017fa73 content::BrowserMainLoop::RunMainMessageLoop() + 243
52  Electron Framework                  0x00000001201819c2 content::BrowserMainRunnerImpl::Run() + 82
53  Electron Framework                  0x000000012017cded content::BrowserMain(content::MainFunctionParams) + 221
54  Electron Framework                  0x000000011cdf3c72 content::RunBrowserProcessMain(content::MainFunctionParams, content::ContentMainDelegate*) + 258
55  Electron Framework                  0x000000011cdf509e content::ContentMainRunnerImpl::RunBrowser(content::MainFunctionParams, bool) + 670
56  Electron Framework                  0x000000011cdf4d77 content::ContentMainRunnerImpl::Run() + 1127
57  Electron Framework                  0x000000011cdf3597 content::RunContentProcess(content::ContentMainParams, content::ContentMainRunner*) + 2727
58  Electron Framework                  0x000000011cdf36b2 content::ContentMain(content::ContentMainParams) + 98
59  Electron Framework                  0x000000011c9c984d ElectronMain + 157
60  dyld                                0x0000000106db451e start + 462
Task trace:
0   Electron Framework                  0x0000000121d5a840 IPC::(anonymous namespace)::ChannelAssociatedGroupController::Accept(mojo::Message*) + 784
1   Electron Framework                  0x0000000121957aae mojo::SimpleWatcher::Context::Notify(unsigned int, MojoHandleSignalsState, unsigned int) + 430
Crash keys:
  "process_rfh_count" = "1"
  "shutdown_delay_ref_count" = "0"
  "keep_alive_duration" = "0 uid/time-deltas:."
  "can_access_data_failure_reason" = "[BI=2]lock_mismatch:url "
  "requested_origin" = "null [internally: (80ACDD4D9EE89C729FFC9CEB952F3DAF) derived from file://]"
  "killed_process_origin_lock" = "{ custom: }"
  "expected_process_lock" = "{ file:/// }"
  "amfi-status" = "rv=0 status=0x0 allow_everything=0"
  "ui_scheduler_async_stack" = "0x121D5A840 0x121957AAE"
  "io_scheduler_async_stack" = "0x121957AAE 0x0"
  "platform" = "darwin"
  "process_type" = "browser"

Ref CRBUG:1081397

[codebytere]

I think there is a path forward here - what's happening is that ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin contains explicit exceptions to allow built-in non-standard schemes, but does not check for non standard schemes registered by the embedder.

Upstream, several possibilities have been floated - I can try to open up a PR here with some changes and potentially upstream them.