New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: bypass CORB when web security is disabled #15737
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me as a temporary fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like this should be implementable without patching through the --disable-web-security
switch?
That disables it for the entire app rather than a single BrowserWindow, correct? |
ah, yes, you're right. One more try for a patchless fix: could we leverage this code from // Give embedder a chance to skip document blocking for this response.
const char* initiator_scheme_exception =
GetContentClient()
->browser()
->GetInitatorSchemeBypassingDocumentBlocking();
// Delegate most decisions to CrossOriginReadBlocking::ResponseAnalyzer.
analyzer_ =
std::make_unique<network::CrossOriginReadBlocking::ResponseAnalyzer>(
*request(), response, initiator_scheme_exception);
if (analyzer_->ShouldAllow())
return false; |
@nornagon that was my initial approach but its less generic and has a scheme based bypass. We can't easily make it compatible with our current |
b179c93
to
6f15379
Compare
This still needs to be backported to |
Release Notes Persisted
|
Manual backport of `web_security_corb_patch` from `master`. See #15737 for details.
* fix: extend content layer hook to bypass corb when web security is disabled. * chore: add patch to disable CORB
Description of Change
This temporarily adds a patch for disabling CORB checks for pre network service code path, things would be easier to solve once we get to implement ContentBrowserClient::CreateURLLoaderFactoryForNetworkRequests
Fixes #15132
Checklist
npm test
passesRelease Notes
Notes: Disable CORB checks when web security preference is disabled