Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Url to JavascriptBindingEventArgs #5021

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Url to JavascriptBindingEventArgs #5021

wants to merge 1 commit into from
+22 −14

Conversation

amaitland
Copy link
Member

@amaitland amaitland commented Jan 2, 2025
edited
Loading

Issue #5001

Summary:

  • Add additional info to event args

Changes:

  • Add url to event args

How Has This Been Tested?
Tests have been updated

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Updated documentation

Checklist:

  • Tested the code(if applicable)
  • Commented my code
  • Changed the documentation(if applicable)
  • New files have a license disclaimer
  • The formatting is consistent with the project (project supports .editorconfig)

@AppVeyorBot
Copy link

Build CefSharp 131.3.10-CI5135 completed (commit 3de1bade0e by @amaitland)

@AppVeyorBot
Copy link

Build CefSharp 131.3.10-CI5137 completed (commit 89b7d8ee83 by @amaitland)

@amaitland amaitland force-pushed the enhancement/addurltoJavascriptBindingEventArgs branch from acda14f to 0cb2878 Compare January 2, 2025 23:05
@amaitland amaitland changed the title Add Url to JavascriptBinding event args and allow for custom method runner queue Add Url to JavascriptBinding event args Jan 2, 2025
@amaitland
Copy link
Member Author

I had originally though about exposing the JS repository and method runner queue for users to customise, reverted this change as I'm not sure that it's wise.

@amaitland amaitland changed the title Add Url to JavascriptBinding event args Add Url to JavascriptBindingEventArgs Jan 2, 2025
@amaitland amaitland marked this pull request as ready for review January 2, 2025 23:13
@AppVeyorBot
Copy link

Build CefSharp 131.3.10-CI5141 completed (commit 80c0d4edbe by @amaitland)

@amaitland amaitland mentioned this pull request Jan 6, 2025
Open
@petrdrabek
Copy link

@amaitland I’ve done a deep dive into the origin restriction security issue, and unfortunately, this approach doesn’t fully resolve the problem.

Here’s the core issue: in the JavascriptObjectRepository_ResolveObject(object sender, CefSharp.Event.JavascriptBindingEventArgs e) method, it’s not possible to prevent object registration in JavaScript when CefSharp.BindObjectAsync() is called.

For example:

  1. A browser instance has a main frame and several iFrames.
  2. The main frame, with an allowed origin, successfully calls CefSharp.BindObjectAsync(), and objects are registered.
  3. None of the iFrames can access these objects, which is correct.
  4. However, if an iFrame with a disallowed origin calls CefSharp.BindObjectAsync(), the JavascriptObjectRepository_ResolveObject method is triggered. Since the objects are already registered in the JavascriptObjectRepository (i.e., IsBound(objectName) returns true), simply returning from the method gives the iFrame access to these objects. Currently, the only option to prevent this is to call javascriptObjectRepository.UnRegisterAll(), but this also removes access for the main frame, which is not ideal:
//  
// Summary:  
//     Unregister all the currently bound objects from the repository.  
//     If you unregister an object that is currently bound in JavaScript,  
//     method/property calls will fail.  
void UnRegisterAll();

This limitation makes it difficult to manage object access based on origin securely.

@amaitland
Copy link
Member Author

I’ve done a deep dive into the origin restriction security issue, and unfortunately, this approach doesn’t fully resolve the problem.

Nor is it expected to. This is just a piece of the puzzle.

Additional code changes would be required as per my comment at #5001 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@amaitland @AppVeyorBot @petrdrabek