Permission host mismatch #13475
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -394,7 +394,7 @@ function registerPermissionHandler (session, partition) { | |
| const isPrivate = module.exports.isPrivate(partition) | ||
| // Keep track of per-site permissions granted for this session. | ||
| let permissions = null | ||
| session.setPermissionRequestHandler((mainFrameOrigin, requestingUrl, permissionTypes, muonCb) => { | ||
| if (!permissions) { | ||
| permissions = { | ||
| media: { | ||
|
|
@@ -427,35 +427,35 @@ function registerPermissionHandler (session, partition) { | |
| // TODO(bridiver) - the permission handling should be converted to an action because we should never call `appStore.getState()` | ||
| // Check whether there is a persistent site setting for this host | ||
| const appState = appStore.getState() | ||
| const isBraveOrigin = mainFrameOrigin.startsWith(`chrome-extension://${config.braveExtensionId}/`) | ||
| const isPDFOrigin = mainFrameOrigin.startsWith(`${pdfjsOrigin}/`) | ||
| let settings | ||
| let tempSettings | ||
| if (requestingUrl === appUrlUtil.getBraveExtIndexHTML() || isPDFOrigin || isBraveOrigin) { | ||
| // lookup, display and store site settings by the origin alias | ||
| requestingUrl = isPDFOrigin ? 'PDF Viewer' : 'Brave Browser' | ||
| // display on all tabs | ||
| mainFrameOrigin = null | ||
| // Lookup by exact host pattern match since 'Brave Browser' is not | ||
| // a parseable URL | ||
| settings = siteSettings.getSiteSettingsForHostPattern(appState.get('siteSettings'), requestingUrl) | ||
| tempSettings = siteSettings.getSiteSettingsForHostPattern(appState.get('temporarySiteSettings'), requestingUrl) | ||
| } else if (requestingUrl.startsWith('magnet:')) { | ||
| // Show "Allow magnet URL to open an external application?", instead of | ||
| // "Allow null to open an external application?" | ||
| // This covers an edge case where you open a magnet link tab, then disable Torrent Viewer | ||
| // and restart Brave. I don't think it needs localization. See 'Brave Browser' above. | ||
| requestingUrl = 'Magnet URL' | ||
| } else { | ||
| // Strip trailing slash | ||
| requestingUrl = getOrigin(requestingUrl) | ||
|
There was a problem hiding this comment. |
||
| settings = siteSettings.getSiteSettingsForURL(appState.get('siteSettings'), requestingUrl) | ||
| tempSettings = siteSettings.getSiteSettingsForURL(appState.get('temporarySiteSettings'), requestingUrl) | ||
| } | ||
|
|
||
| let response = [] | ||
|
|
||
| if (requestingUrl == null) { | ||
| response = new Array(permissionTypes.length) | ||
|
There was a problem hiding this comment. This looks to be the first real change (origin => requestingUrl)- everything else above this line is just renaming, is that correct? |
||
| response.fill(false, 0, permissionTypes.length) | ||
| muonCb(response) | ||
|
|
@@ -471,7 +471,7 @@ function registerPermissionHandler (session, partition) { | |
| response.push(false) | ||
| } else if (permission === 'fullscreen' && | ||
| // The Torrent Viewer extension is always allowed to show fullscreen media | ||
| mainFrameOrigin.startsWith('chrome-extension://' + config.torrentExtensionId)) { | ||
|
There was a problem hiding this comment. this throws an error when you go to http://www.orimi.com/pdf-test.pdf and click the fullscreen button should be There was a problem hiding this comment. actually it shouldn't - https://github.com/brave/browser-laptop/pull/13475/files#diff-8a9bac13ef6264feb2b6da7c18d86b3cR440 set the mainFrameOrigin to null deliberately so i think this just has to check if mainFrameOrigin is null |
||
| response.push(true) | ||
| } else if (permission === 'fullscreen' && alwaysAllowFullscreen) { | ||
| // Always allow fullscreen if setting is ON | ||
|
|
@@ -497,7 +497,7 @@ function registerPermissionHandler (session, partition) { | |
|
|
||
| // Display 'Brave Browser' if the origin is null; ex: when a mailto: link | ||
| // is opened in a new tab via right-click | ||
| const message = locale.translation('permissionMessage').replace(/{{\s*host\s*}}/, getOrigin(requestingUrl) || 'Brave Browser').replace(/{{\s*permission\s*}}/, permissions[permission].action) | ||
|
There was a problem hiding this comment. Do you have an example of where the There was a problem hiding this comment. UPDATE: found it- I wanted to find an example of the args passed in There was a problem hiding this comment. Looking at the code in Muon... Super glad you fixed this mismatch issue 😄 There was a problem hiding this comment. can also be simplified using https://github.com/brave/browser-laptop/pull/13475/files#r177257591 |
||
|
|
||
| // If this is a duplicate, clear the previous callback and use the new one | ||
| if (permissionCallbacks[message]) { | ||
|
|
@@ -511,9 +511,9 @@ function registerPermissionHandler (session, partition) { | |
| {text: locale.translation('deny')}, | ||
| {text: locale.translation('allow')} | ||
| ], | ||
| frameOrigin: getOrigin(mainFrameOrigin), | ||
| options: { | ||
| persist: !!requestingUrl, | ||
| index: i | ||
| }, | ||
| message | ||
|
|
@@ -530,7 +530,7 @@ function registerPermissionHandler (session, partition) { | |
| response[index] = result | ||
| if (persist) { | ||
| // remember site setting for this host | ||
| appActions.changeSiteSetting(requestingUrl, permission + 'Permission', result, isPrivate) | ||
|
There was a problem hiding this comment. I'm confused why we are getting the permissions for the main frame origin in https://github.com/brave/browser-laptop/pull/13475/files#diff-8a9bac13ef6264feb2b6da7c18d86b3cR452, but here we apply permissions by There was a problem hiding this comment. see https://github.com/brave/browser-laptop/pull/13475/files#r177257591 - this should apply the change by requesting origin, not full URL |
||
| } | ||
| if (response.length === permissionTypes.length) { | ||
| permissionCallbacks[message] = null | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -470,7 +470,10 @@ const UrlUtil = { | |
| if (parsed.protocol === 'about:') { | ||
| return [parsed.protocol, parsed.path].join('') | ||
| } | ||
| if (parsed.origin.length !== 0) { | ||
| return parsed.origin.replace(/\/+$/, '') | ||
| } | ||
| return parsed.href.replace(/\/+$/, '') | ||
|
There was a problem hiding this comment. is this change still needed? i don't think this works on arbitrary URLs, ex: There was a problem hiding this comment. let's remove this diff if it's no longer needed There was a problem hiding this comment. This is still needed, There was a problem hiding this comment. @jumde what if instead of this change, you just change https://github.com/brave/browser-laptop/pull/13475/files#diff-7b5b041c814805dd8496488bc6a53d3cR469 to also please add a test case in the getOrigin unit tests There was a problem hiding this comment. Host is also null for arbitrary URLs: There was a problem hiding this comment. @jumde i see. what if instead of changing the behavior of i am reluctant to change getOrigin since it's used in various places for security checks |
||
| } | ||
| if (parsed.host && parsed.protocol) { | ||
| return parsed.slashes ? [parsed.protocol, parsed.host].join('//') : [parsed.protocol, parsed.host].join('') | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you have to do
requestingUrl = getOrigin(requestingUrl)before calling these settings since these were previously saved by origin not full URLThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or better yet, define
const requestingOrigin = getOrigin(requestingUrl)in the function scope so that it's harder to confuse URL with origin