Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nwjs does not remove "Cross Origin Read Blocking" from privileged frames #6871

Closed
julijane opened this issue Nov 19, 2018 · 5 comments
Closed

nwjs does not remove "Cross Origin Read Blocking" from privileged frames #6871

julijane opened this issue Nov 19, 2018 · 5 comments
Assignees
@rogerwang
Labels
test-todo

Comments

@julijane
Copy link

julijane commented Nov 19, 2018
edited
Loading

NWJS Version : 0.34.3
Operating System : Linux

Expected behavior

Documentation (http://docs.nwjs.io/en/latest/For%20Users/Advanced/Security%20in%20NW.js/) states;

Bypass all security restrictions, such as sandboxing, same origin policy etc

Actual behavior

Cross Origin Read Blocking introduced in Chrome 67 (https://www.chromestatus.com/feature/5629709824032768) is not bypassed.

This blocks lots of requests (or actually not the requests but suppresses the result), e.g. getting a text/html URI or a JSON file from resources served without CORS headers.

How to reproduce

Make a XMLHTTPRequest to e.g. a JSON file which is served without CORS-Headers.

Results in error on console:

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://REDACTED with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details.

Or try to request a normal webpage (e.g. google.com) which is served as text/html. Results in the same error, with different MIME type of course.
@rogerwang rogerwang self-assigned this Dec 10, 2018
@rogerwang
Copy link
Member

Will look to fix this soon. Thanks for reporting.

@rogerwang
Copy link
Member

@julijane it works for me -- I tried with a simple main html with this script with 0.34.3 and Linux:

function reqListener () {
  console.log(this.responseText);
}

var oReq = new XMLHttpRequest();
oReq.addEventListener("load", reqListener);
oReq.open("GET", "https://www.google.com");
oReq.send();

@rogerwang rogerwang mentioned this issue Dec 10, 2018
Closed
@julijane
Copy link
Author

julijane commented Dec 10, 2018
edited
Loading

@rogerwang After some testing I found that it does not happen when loading from file (like in a production build). But when the application was loaded via http (e.g. from a webpack-dev-server during development) CORB blocks the request even though node-remote is set to ://localhost/

@rogerwang
Copy link
Member

This is fixed in git and will be available in the next nightly build.

@rogerwang
Copy link
Member

https://dl.nwjs.io/live-build/nw35/12-11-2018/63a273829/v0.35.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rogerwang rogerwang

Labels
test-todo
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rogerwang @julijane