github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-05-02 03:00:22 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
6fd63cdba85cfafab06a97124546d985ef31fa58
electron/spec/disabled-tests.json
Samuel Attard ce0739ad4f fix: ensure corsEnabled: false protocol handlers do not work across protocols (41-x-y) (#51270) 
fix: ensure corsEnabled: false protocol handlers do not work across protocols (#51152)

* fix: ensure corsEnabled: false protocol handlers do not work across protocols

Subresource requests for registered custom protocols are routed to
ElectronURLLoaderFactory via the renderer's per-scheme URLLoaderFactoryBundle
entry, which bypasses the network service's CorsURLLoaderFactory. This meant a
cross-origin page could fetch() a scheme registered with {supportFetchAPI: true}
and read the response body even when {corsEnabled: true} was not set.

Replicate CorsURLLoader::StartRequest's kCorsDisabledScheme gate in
ElectronURLLoaderFactory::CreateLoaderAndStart so cross-origin mode=cors
requests to such schemes fail before the JS handler runs, and tag cross-origin
mode=no-cors responses as opaque so the body is not script-readable while <img>
and similar subresource loads continue to work.

Re-enable the long-disabled "disallows CORS and fetch requests when only
supportFetchAPI is specified" test, add coverage for the opaque/no-cors,
same-origin, handler-not-invoked, corsEnabled-unaffected and net.fetch-unaffected
cases, and migrate spec helpers that were exercising a {supportFetchAPI: true}
scheme cross-origin to a corsEnabled scheme.

* chore: oxfmt

(cherry picked from commit 92f0993d94)
2026-04-23 09:49:23 +02:00

13 lines
846 B
JSON
Raw Blame History

[
"// NOTE: this file is used to disable tests in our test suite by their full title.",
"BrowserWindow module BrowserWindow.loadURL(url) should emit did-fail-load event for files that do not exist",
"Menu module Menu.setApplicationMenu unsets a menu with null",
"process module main process process.takeHeapSnapshot() returns true on success",
"session module ses.cookies should set cookie for standard scheme",
"webFrameMain module WebFrame.visibilityState should match window state",
"reporting api sends a report for a deprecation",
"chromium features SpeechSynthesis should emit lifecycle events",
"BrowserWindow module draggable regions should allow the window to be dragged when enabled",
"BrowserWindow module draggable regions should allow the window to be dragged when no WCO and --webkit-app-region: drag enabled"
]
Reference in New Issue View Git Blame Copy Permalink