Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RDX: Extensions should not do CORS #8285

Open
mook-as opened this issue Feb 25, 2025 · 1 comment · May be fixed by #8286
Open

RDX: Extensions should not do CORS #8285

mook-as opened this issue Feb 25, 2025 · 1 comment · May be fixed by #8286
Assignees
@mook-as
Labels
area/rdx kind/bug Something isn't working parity/project Feature is available from other projects
Milestone
1.19

Comments

@mook-as
Copy link
Contributor

mook-as commented Feb 25, 2025

Actual Behavior

We currently make CORS requests (HTTP OPTIONS) when extension UI makes XHR requests.

Steps to Reproduce

  1. Run Rancher Desktop in dev mode (to get dev tools)
  2. Install extension that makes XHR requests
  3. Read the network logs

Result

CORS requests are made (with Origin of x-rd-extension://…).

Expected Behavior

For compatibility, it seems like we shouldn't be making CORS requests when the extension UI makes requests (to the wider internet, as in XHR).

Additional Information

No response

Rancher Desktop Version

1.18.0-54-gb0f0c47de

Rancher Desktop K8s Version

N/A

Which container engine are you using?

moby (docker cli)

What operating system are you using?

macOS

Operating System / Build Version

macOS Ventura 13.7.2

What CPU architecture are you using?

arm64 (Apple Silicon)

Linux only: what package format did you use to install Rancher Desktop?

None

Windows User Only

No response
@mook-as mook-as added area/rdx kind/bug Something isn't working parity/project Feature is available from other projects labels Feb 25, 2025
@mook-as mook-as added this to the 1.19 milestone Feb 25, 2025
@mook-as mook-as self-assigned this Feb 25, 2025
@mook-as
Copy link
Contributor Author

mook-as commented Feb 25, 2025

What I've found out so far:

  • WebPreferences has a webSecurity field that turns off CORS.
  • However, setting that to false also stops loading preload scripts, so that's not very useful.
  • I have not been able to replicate this result in a dummy Electron app; it's something to do with RD specifically.

@mook-as mook-as linked a pull request Feb 26, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mook-as mook-as

Labels
area/rdx kind/bug Something isn't working parity/project Feature is available from other projects
Projects
None yet
Milestone
1.19
Development

Successfully merging a pull request may close this issue.

RDX: Bypass CORS mook-as/rd
1 participant
@mook-as