Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: bypass CORB when web security is disabled #15737

Merged
merged 2 commits into from Nov 21, 2018
Merged

fix: bypass CORB when web security is disabled #15737

merged 2 commits into from Nov 21, 2018

Conversation

deepak1556
Copy link
Member

@deepak1556 deepak1556 commented Nov 16, 2018
edited

Description of Change

This temporarily adds a patch for disabling CORB checks for pre network service code path, things would be easier to solve once we get to implement ContentBrowserClient::CreateURLLoaderFactoryForNetworkRequests

Fixes #15132

Checklist

  • PR description included and stakeholders cc'd
  • npm test passes
  • tests are changed or added
  • relevant documentation is changed or added
  • PR title follows semantic commit guidelines

Release Notes

Notes: Disable CORB checks when web security preference is disabled

@deepak1556 deepak1556 mentioned this pull request Nov 16, 2018
Closed
zcbenz
zcbenz approved these changes Nov 16, 2018
View reviewed changes
Copy link
Member

@zcbenz zcbenz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me as a temporary fix.

nornagon
nornagon requested changes Nov 20, 2018
View reviewed changes
Copy link
Member

@nornagon nornagon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this should be implementable without patching through the --disable-web-security switch?

@BinaryMuse
Copy link
Contributor

It looks like this should be implementable without patching through the --disable-web-security switch?

That disables it for the entire app rather than a single BrowserWindow, correct?

@nornagon
Copy link
Member

It looks like this should be implementable without patching through the --disable-web-security switch?

That disables it for the entire app rather than a single BrowserWindow, correct?

ah, yes, you're right.

One more try for a patchless fix: could we leverage this code from CrossSiteDocumentResourceHandler::ShouldBlockBasedOnHeaders()?

  // Give embedder a chance to skip document blocking for this response.
  const char* initiator_scheme_exception =
      GetContentClient()
          ->browser()
          ->GetInitatorSchemeBypassingDocumentBlocking();

  // Delegate most decisions to CrossOriginReadBlocking::ResponseAnalyzer.
  analyzer_ =
      std::make_unique<network::CrossOriginReadBlocking::ResponseAnalyzer>(
          *request(), response, initiator_scheme_exception);
  if (analyzer_->ShouldAllow())
    return false;

@deepak1556
Copy link
Member Author

deepak1556 commented Nov 20, 2018
edited

@nornagon that was my initial approach but its less generic and has a scheme based bypass. We can't easily make it compatible with our current webPreferences option, will have get the scheme of every navigation request using ResoureDispatcherHostDelegate, match process preference and finally add them to exception list, not worth the effort. This patch will only be short lived until network service is enabled.

@deepak1556 deepak1556 mentioned this pull request Nov 21, 2018
Closed
15 tasks
@ckerr
Copy link
Member

ckerr commented Nov 21, 2018

This still needs to be backported to 4-0-x in order to come down off the 4.0.x project board

@ckerr ckerr merged commit 9e8b26c into master Nov 21, 2018
@release-clerk
Copy link

release-clerk bot commented Nov 21, 2018

Release Notes Persisted

Disable CORB checks when web security preference is disabled

@ckerr ckerr deleted the web_security_corb_patch branch November 21, 2018 20:10
ckerr pushed a commit that referenced this pull request Nov 21, 2018
@deepak1556 @ckerr
fix: bypass CORB when web security is disabled (#15737)
45c3d31 
Manual backport of `web_security_corb_patch` from `master`.
See #15737 for details.
@ckerr ckerr mentioned this pull request Nov 21, 2018
Merged
3 tasks
ckerr added a commit that referenced this pull request Nov 22, 2018
@ckerr
fix: bypass CORB when web security is disabled (#15737) (#15801)
d5f432b 
Manual backport of `web_security_corb_patch` from `master`.
See #15737 for details.
bcpete pushed a commit to bcpete/electron that referenced this pull request Apr 18, 2019
@deepak1556 @bcpete
fix: bypass CORB when web security is disabled (electron#15737)
f445e18 
* fix: extend content layer hook to bypass corb when web security is disabled.

* chore: add patch to disable CORB
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nornagon nornagon nornagon approved these changes

@zcbenz zcbenz zcbenz approved these changes

@BinaryMuse BinaryMuse Awaiting requested review from BinaryMuse

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@deepak1556 @BinaryMuse @nornagon @ckerr @zcbenz