fix: do not cancel CORS preflight request on proxy auth. #29266
Conversation
|
This PR fixes the problem described in #29265 |
If connecting via proxy, preflight request can receive 407 header response from proxy. This does not mean request was finished even though it received headers (from proxy, not the destination server), so prevent "completing" and most importantly deleting it, which causes request to be canceled in network layer. Just continue to monitor it and await proper response from server. Also add circut breaker to cancel request if proxy auth failed 3 times (for example user keeps cancelling auth). This behavior happens only when app registered WebRequest api listeners.
4ac1eac to
b28ef25
Compare
|
Marked issue is a duplicate of #25758. |
nornagon
left a comment
There was a problem hiding this comment.
This doesn't match the related code in Chromium: https://source.chromium.org/chromium/chromium/src/+/main:extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc;l=857-869;drc=924ddf7fffcdc465838e48a40b08ed41bf480a5c
Can you expand on why this is necessary?
|
I've already reported https://chromium-review.googlesource.com/c/chromium/src/+/2910336 to chromium, which is similar change in their code. |
zcbenz
left a comment
There was a problem hiding this comment.
I'm good with this change, but we should wait for how Chromium reviewers say before merging.
|
Amazing this is being fixed now. I’ve received the issue intermittently in chrome too where by I have to reset my settings and it goes away - I can only guess something in my setup pushes chrome into this extra header mode. |
|
@marekharanczyk the Chromium change does not have the maximum of 3 attempts, why do we need it here? |
|
@marekharanczyk looks like we should also include https://chromium-review.googlesource.com/c/chromium/src/+/2011781 |
|
@miniak The retry check is because electron does not have same handling of auth that chromium has, just a safety measure to prevent infinite loop. I can remove it if it bothers you. Regarding second chromium fix you pointed: I will move it as well. |
Move relevant parts of chromium WebRequestProxyingURLLoaderFactory from https://chromium-review.googlesource.com/c/chromium/src/+/2011781 into electron ProxyingURLLoaderFactory.
|
@marekharanczyk I was mostly just wondering why the fix is different between Chromium and Electron. If you believe the retry limit makes sense we can keep it. |
|
Updated code to final version that just got merged upstream and removed fail safe. |
| // CorsURLLoader::FollowRedirect. In such a case the old network::URLLoader | ||
| // is going to be detached fairly soon, so we don't need to take care of it. | ||
| // We need this explicit reset to avoid a DCHECK failure in mojo::Receiver. | ||
| header_client_receiver_.reset(); |
There was a problem hiding this comment.
Is this .reset() needed given we immediately .Bind() on the next line?
There was a problem hiding this comment.
This is a cherry-pick of https://chromium-review.googlesource.com/c/chromium/src/+/2011781. Reason for reset is stated above in comment by original author, it is here to prevent DCHECK in mojo receiver.
|
11.x is security fixes only now. |
|
Release Notes Persisted
|
* fix: do not cancel CORS preflight request on proxy auth. If connecting via proxy, preflight request can receive 407 header response from proxy. This does not mean request was finished even though it received headers (from proxy, not the destination server), so prevent "completing" and most importantly deleting it, which causes request to be canceled in network layer. Just continue to monitor it and await proper response from server. Also add circut breaker to cancel request if proxy auth failed 3 times (for example user keeps cancelling auth). This behavior happens only when app registered WebRequest api listeners. * Port chromium webrequest changes to electron code. Move relevant parts of chromium WebRequestProxyingURLLoaderFactory from https://chromium-review.googlesource.com/c/chromium/src/+/2011781 into electron ProxyingURLLoaderFactory. * Update code to upstreamed version and remove retyr count failsafe. Co-authored-by: Milan Burda <milan.burda@gmail.com>
* fix: do not cancel CORS preflight request on proxy auth. If connecting via proxy, preflight request can receive 407 header response from proxy. This does not mean request was finished even though it received headers (from proxy, not the destination server), so prevent "completing" and most importantly deleting it, which causes request to be canceled in network layer. Just continue to monitor it and await proper response from server. Also add circut breaker to cancel request if proxy auth failed 3 times (for example user keeps cancelling auth). This behavior happens only when app registered WebRequest api listeners. * Port chromium webrequest changes to electron code. Move relevant parts of chromium WebRequestProxyingURLLoaderFactory from https://chromium-review.googlesource.com/c/chromium/src/+/2011781 into electron ProxyingURLLoaderFactory. * Update code to upstreamed version and remove retyr count failsafe. Co-authored-by: Milan Burda <milan.burda@gmail.com>
* fix: do not cancel CORS preflight request on proxy auth. If connecting via proxy, preflight request can receive 407 header response from proxy. This does not mean request was finished even though it received headers (from proxy, not the destination server), so prevent "completing" and most importantly deleting it, which causes request to be canceled in network layer. Just continue to monitor it and await proper response from server. Also add circut breaker to cancel request if proxy auth failed 3 times (for example user keeps cancelling auth). This behavior happens only when app registered WebRequest api listeners. * Port chromium webrequest changes to electron code. Move relevant parts of chromium WebRequestProxyingURLLoaderFactory from https://chromium-review.googlesource.com/c/chromium/src/+/2011781 into electron ProxyingURLLoaderFactory. * Update code to upstreamed version and remove retyr count failsafe. Co-authored-by: Milan Burda <milan.burda@gmail.com>
|
I have automatically backported this PR to "12-x-y", please check out #29810 |
|
I have automatically backported this PR to "13-x-y", please check out #29811 |
|
I have automatically backported this PR to "14-x-y", please check out #29812 |
* fix: do not cancel CORS preflight request on proxy auth. (#29266) * fix: do not cancel CORS preflight request on proxy auth. If connecting via proxy, preflight request can receive 407 header response from proxy. This does not mean request was finished even though it received headers (from proxy, not the destination server), so prevent "completing" and most importantly deleting it, which causes request to be canceled in network layer. Just continue to monitor it and await proper response from server. Also add circut breaker to cancel request if proxy auth failed 3 times (for example user keeps cancelling auth). This behavior happens only when app registered WebRequest api listeners. * Port chromium webrequest changes to electron code. Move relevant parts of chromium WebRequestProxyingURLLoaderFactory from https://chromium-review.googlesource.com/c/chromium/src/+/2011781 into electron ProxyingURLLoaderFactory. * Update code to upstreamed version and remove retyr count failsafe. Co-authored-by: Milan Burda <milan.burda@gmail.com> * chore: add required header Co-authored-by: marekharanczyk <48673767+marekharanczyk@users.noreply.github.com> Co-authored-by: Milan Burda <milan.burda@gmail.com> Co-authored-by: Cheng Zhao <zcbenz@gmail.com>
* fix: do not cancel CORS preflight request on proxy auth. (#29266) * fix: do not cancel CORS preflight request on proxy auth. If connecting via proxy, preflight request can receive 407 header response from proxy. This does not mean request was finished even though it received headers (from proxy, not the destination server), so prevent "completing" and most importantly deleting it, which causes request to be canceled in network layer. Just continue to monitor it and await proper response from server. Also add circut breaker to cancel request if proxy auth failed 3 times (for example user keeps cancelling auth). This behavior happens only when app registered WebRequest api listeners. * Port chromium webrequest changes to electron code. Move relevant parts of chromium WebRequestProxyingURLLoaderFactory from https://chromium-review.googlesource.com/c/chromium/src/+/2011781 into electron ProxyingURLLoaderFactory. * Update code to upstreamed version and remove retyr count failsafe. Co-authored-by: Milan Burda <milan.burda@gmail.com> * chore: add required header Co-authored-by: marekharanczyk <48673767+marekharanczyk@users.noreply.github.com> Co-authored-by: Milan Burda <milan.burda@gmail.com> Co-authored-by: Cheng Zhao <zcbenz@gmail.com>
* fix: do not cancel CORS preflight request on proxy auth. (#29266) * fix: do not cancel CORS preflight request on proxy auth. If connecting via proxy, preflight request can receive 407 header response from proxy. This does not mean request was finished even though it received headers (from proxy, not the destination server), so prevent "completing" and most importantly deleting it, which causes request to be canceled in network layer. Just continue to monitor it and await proper response from server. Also add circut breaker to cancel request if proxy auth failed 3 times (for example user keeps cancelling auth). This behavior happens only when app registered WebRequest api listeners. * Port chromium webrequest changes to electron code. Move relevant parts of chromium WebRequestProxyingURLLoaderFactory from https://chromium-review.googlesource.com/c/chromium/src/+/2011781 into electron ProxyingURLLoaderFactory. * Update code to upstreamed version and remove retyr count failsafe. Co-authored-by: Milan Burda <milan.burda@gmail.com> * chore: add required header Co-authored-by: marekharanczyk <48673767+marekharanczyk@users.noreply.github.com> Co-authored-by: Milan Burda <milan.burda@gmail.com> Co-authored-by: Cheng Zhao <zcbenz@gmail.com>
) * fix: do not cancel CORS preflight request on proxy auth. If connecting via proxy, preflight request can receive 407 header response from proxy. This does not mean request was finished even though it received headers (from proxy, not the destination server), so prevent "completing" and most importantly deleting it, which causes request to be canceled in network layer. Just continue to monitor it and await proper response from server. Also add circut breaker to cancel request if proxy auth failed 3 times (for example user keeps cancelling auth). This behavior happens only when app registered WebRequest api listeners. * Port chromium webrequest changes to electron code. Move relevant parts of chromium WebRequestProxyingURLLoaderFactory from https://chromium-review.googlesource.com/c/chromium/src/+/2011781 into electron ProxyingURLLoaderFactory. * Update code to upstreamed version and remove retyr count failsafe. Co-authored-by: Milan Burda <milan.burda@gmail.com>
Description of Change
If connecting via proxy, preflight request can receive 407 header response from proxy. This does not mean request was finished even though it received headers (from proxy, not the destination server), so prevent "completing" and most importantly deleting it, which causes request to be canceled in network layer. Just continue to monitor it and await proper response from server. Also add circuit breaker to cancel request if proxy auth failed 3 times (for example user keeps cancelling auth). This behavior happens only when app registered WebRequest api listeners.
Fixes #25184
Fixes #25758
Checklist
npm testpassesRelease Notes
Notes: Fixed CORS preflight request always being cancelled when connecting via proxy requiring authentication for apps that had registered WebRequest listeners.