mirror of
https://github.com/electron/electron.git
synced 2026-05-02 03:00:22 -04:00
2c6dd1156c
* fix: use requesting frame origin instead of top-level URL for permissions `WebContentsPermissionHelper::RequestPermission` passes `web_contents_->GetLastCommittedURL()` as the origin to the permission manager instead of the actual requesting frame's origin. This enables origin confusion when granting permissions to embedded third-party iframes, since app permission handlers see the top-level origin instead of the iframe's. The same pattern exists in the HID, USB, and Serial device choosers, where grants are keyed to the primary main frame's origin rather than the requesting frame's. Fix this by using `requesting_frame->GetLastCommittedOrigin()` in all affected code paths, renaming `details.requestingUrl` to `details.requestingOrigin`, and populating it with the serialized origin only. * chore: keep requestingUrl name in permission handler details The previous commit changed the details.requestingUrl field to details.requestingOrigin in permission request/check handlers. That field was already populated from the requesting frame's RFH, so the rename was unnecessary and would break apps that read the existing property. Revert to requestingUrl to preserve the existing API shape. The functional changes to use the requesting frame in WebContentsPermissionHelper and the HID/USB/Serial choosers remain. --------- Co-authored-by: Samuel Attard <sattard@anthropic.com>