CefAddCrossOriginWhitelistEntry not fully works at cef 81

[magreenblatt]

Original report by elad bahar (Bitbucket: eBahar).

---

1.What steps will reproduce the problem?
not sure how to reproduce it in cefclient, but the scenario is:
create custom scheme, add |CefAddCrossOriginWhitelistEntry| Cross some HTTP/ HTTPS origin.
from the custom scheme url try to

var xmlhttp = new XMLHttpRequest();  
xmlhttp.open( "POST", "https://… (to the  Whitelist enty"); 
xmlhttp.setRequestHeader("Content-Type","application/json;charset=UTF-8"); 
var data= { test:"test" };   
xmlhttp.send(JSON.stringify(data));

2. What is the expected output? What do you see instead?
the request fails net:ERR_FAILED. should not blocked

3. What version of the product are you using? On what operating system?

windows 10 64bit ,  CEF 81.2.17+gb382c62+chromium-81.0.4044.113 / Chromium 81.0.4044.113

4. Does the problem reproduce with the cefclient or cefsimple sample application at the same version? How about with a newer or older version?

worked fine at 79 version.

some notes:

• running with --disable-web-security fix the problem.
• from debugging the code, it’s looks like the Netwrork service process OriginAccessList is not been updated
  with the white listed origin (only the RenderProcessHost are been updated via CefProcessMsg_ModifyCrossOriginWhitelistEntry)
  seem like NetworkService SetCorsOriginAccessListForOrigin function also need to be called , so that Netwrork service process will be updated when creating CorsURLLoaderFactory)
  https://source.chromium.org/chromium/chromium/src/+/master:services/network/network_context.h;drc=c67c5b5e4d12c8b576b14817dd5907dcc9396c8d;l=341?originalUrl=https:%2F%2Fcs.chromium.org%2F
  and
  https://source.chromium.org/chromium/chromium/src/+/master:chrome/browser/net/profile_network_context_service.cc;drc=b2810262aa5687a7cd3f0245a503eb4d7a540924;l=853?originalUrl=https:%2F%2Fcs.chromium.org%2F

‌

[magreenblatt]

Original comment by elad bahar (Bitbucket: eBahar).

---

from M80 OutOfBlinkCors is Enabled by default (M79 was disabled).
e.g: CORS checks validation is at the NetworkService process.

https://source.chromium.org/chromium/chromium/src/+/master:services/network/public/cpp/features.cc;drc=7275d73596c4fec4e7d6a70d637206bfca9083d6;l=39?originalUrl=https:%2F%2Fcs.chromium.org%2F

// Out of Blink CORS for browsers is launched at m79 (http://crbug.com/1001450),
// and one for WebView will be at m81 (http://crbug.com/1035763).
// The legacy CORS will be also maintained at least until m81 for enterprise
// users. See https://sites.google.com/a/chromium.org/dev/Home/loading/oor-cors
// for FYI Builders information.
const base::Feature kOutOfBlinkCors{"OutOfBlinkCors",
                                    base::FEATURE_ENABLED_BY_DEFAULT};

‌

‌

[magreenblatt]

OutOfBlinkCors is currently disabled in CEF, see issue #2716.

[magreenblatt]

Original comment by elad bahar (Bitbucket: eBahar).

---

duplicate #2716.

[magreenblatt]

Original changes by elad bahar (Bitbucket: eBahar).

---

• changed state from "new" to "resolved"

[magreenblatt]

Original comment by elad bahar (Bitbucket: eBahar).

---

now that 'OutOfBlinkCors' removed from chromium,
the bug is valid again

[magreenblatt]

Original changes by elad bahar (Bitbucket: eBahar).

---

• changed state from "resolved" to "open"

[magreenblatt]

Original comment by Max Steenbergen (Bitbucket: maxsteenbergen, GitHub: maxsteenbergen).

---

We recently updated to m89 to keep up with the latest development, but this is a major app breaker for us: without the combo of CefAddCrossOriginWhitelistEntry and custom schemes, our app is dead in the water.

[magreenblatt]

1. Are you making the XMLHttpRequest to an HTTPS scheme? If so, is your custom scheme (source of the XMLHttpRequest) registered as secure (CEF_SCHEME_OPTION_SECURE)?
2. Are there any warning/error messages in the DevTools console when the request is blocked?
3. Where and with what arguments, specifically, are you calling CefAddCrossOriginWhitelistEntry?

Note that CefAddCrossOriginWhitelistEntry is intended to substitute for missing Access-Control-Allow-Origin headers, and is not intended to allow requests that are otherwise blocked by CORS preflight restrictions (see discussion here). If the missing Access-Control-Allow-Origin header is the problem then you might consider adding it in CefResourceRequestHandler::OnResourceResponse.

‌

[magreenblatt]

Original comment by Alex Maitland (Bitbucket: a-maitland).

---

Adding Access-Control-Allow-Origin to your CefResourceHandler response headers is required in some scenarios.

[magreenblatt]

@{557058:57d40817-a8a6-4d9a-ae30-fe4d3bde5b20} if you’re saying that CefAddCrossOriginWhitelistEntry doesn’t work consistently for the Access-Control-Allow-Origin use case then perhaps we should just remove the function and always recommend adding the header manually instead.

[magreenblatt]

Original comment by elad bahar (Bitbucket: eBahar).

---

Access-Control-Allow-Origin not cover all cases. CefAddCrossOriginWhitelistEntry is still needed
(we are using both to allow XMLHttpRequest from custom scheme to some whitelists origin’s, and for also allow access from some origin’s to custom scheme )

‌

[magreenblatt]

@{557058:6a93a677-f796-4161-93d5-37463172e888} Have you added the SetCorsOriginAccessListForOrigin function call that you mention in the original report? If so, can you submit your change as a PR? Thanks.

[magreenblatt]

Original comment by elad bahar (Bitbucket: eBahar).

---

I did add something to my local build for 87 Version (no the best solution, but something that works).
but I think is no longer valid for CEF 91, due to some changes in the chromium code.
once i will update to latest CEF i will try to submit PR

[magreenblatt]

• changed component from "Unclassified" to "Framework"