Javascript Binding - Finalize JavascriptBindingApiAllowOrigins: Per-browser isolation and origin normalization (#5218)

* Javascript Binding - Add Ability to limit origins

* Move JS binding settings to CefBrowserWrapper and optimize origin validation

* Initialize origins to null

* Normalize allowed origins

* Optimize origin validation

* Add null check for origin compare

* Fix JavaScript Binding API settings for popups

Move the JS binding API configuration block out of the !browser->IsPopup() scope
in OnBrowserCreated. This ensures that IsJavascriptBindingApiAllowed() enforces
configured restrictions for popups as well.

* Fix possible null deref for JavascriptBindingApiAllowOrigins

In IsJavascriptBindingApiAllowed, added a null check for JavascriptBindingApiAllowOrigins
to prevent a potential null dereference if JavascriptBindingApiHasAllowOrigins is true
but the allowOrigins list itself was null.

* Simplify origin normalization and add null check

* Add more test cases

* Refactor IsJavascriptBindingApiAllowed signature

Refactored IsJavascriptBindingApiAllowed to accept a CefBrowserWrapper^ parameter directly, eliminating redundant lookups and improving clarity. Updated all call sites to pass the browser wrapper explicitly.

* Clarify summary for HasJavascriptBindingApiAllowOrigins

Clarify documentation for HasJavascriptBindingApiAllowOrigins method to specify zero or more origins

* Simplify origin comparison logic in CefAppUnmanagedWrapper

Refactored code to directly compare wide string origins using
_wcsicmp, removing unnecessary pointer casts and null checks.
This streamlines the logic and improves readability.

* Add tests for JavaScript binding API behavior across cross-origin navigation

---------

Co-authored-by: amaitland <307872+amaitland@users.noreply.github.com>
Co-authored-by: Luca Sonntag <luca.sonntag@cgm.com>

Author: 3 people

CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp

@@ -23,6 +23,7 @@
 #include "Wrapper\Browser.h"
 #include "..\CefSharp.Core.Runtime\Internals\Messaging\Messages.h"
 #include "..\CefSharp.Core.Runtime\Internals\Serialization\Primitives.h"
+#include <include/cef_parser.h>
 
 using namespace System;
 using namespace System::Diagnostics;
@@ -87,7 +88,7 @@ namespace CefSharp
                             //Using LegacyBinding with multiple ChromiumWebBrowser instances that share the same
                             //render process and using LegacyBinding will cause problems for the limited caching implementation
                             //that exists at the moment, for now we'll remove an object if already exists, same behaviour
-                            //as the new binding method. 
+                            //as the new binding method.
                             //TODO: This should be removed when https://github.com/cefsharp/CefSharp/issues/2306
                             //Is complete as objects will be stored at the browser level
                             if (_javascriptObjects->ContainsKey(obj->JavascriptName))
@@ -98,16 +99,33 @@ namespace CefSharp
                         }
                     }
                 }
+            }
 
-                _jsBindingApiEnabled = extraInfo->GetBool("JavascriptBindingApiEnabled");
+            if (extraInfo->HasKey("JavascriptBindingApiEnabled"))
+            {
+                wrapper->JavascriptBindingApiEnabled = extraInfo->GetBool("JavascriptBindingApiEnabled");
+            }
+
+            if (extraInfo->HasKey("JavascriptBindingApiHasAllowOrigins"))
+            {
+                wrapper->JavascriptBindingApiHasAllowOrigins = extraInfo->GetBool("JavascriptBindingApiHasAllowOrigins");
 
-                if (extraInfo->HasKey("JsBindingPropertyName") || extraInfo->HasKey("JsBindingPropertyNameCamelCase"))
+                if (wrapper->JavascriptBindingApiHasAllowOrigins)
                 {
-                    //TODO: Create constant for these and legacy binding strings above
-                    _jsBindingPropertyName = extraInfo->GetString("JsBindingPropertyName");
-                    _jsBindingPropertyNameCamelCase = extraInfo->GetString("JsBindingPropertyNameCamelCase");
+                    auto allowOrigins = extraInfo->GetList("JavascriptBindingApiAllowOrigins");
+                    if (allowOrigins.get() && allowOrigins->IsValid())
+                    {
+                        wrapper->JavascriptBindingApiAllowOrigins = allowOrigins->Copy();
+                    }
                 }
             }
+
+            if (extraInfo->HasKey("JsBindingPropertyName") || extraInfo->HasKey("JsBindingPropertyNameCamelCase"))
+            {
+                //TODO: Create constant for these and legacy binding strings above
+                _jsBindingPropertyName = extraInfo->GetString("JsBindingPropertyName");
+                _jsBindingPropertyNameCamelCase = extraInfo->GetString("JsBindingPropertyNameCamelCase");
+            }
         }
 
         void CefAppUnmanagedWrapper::OnBrowserDestroyed(CefRefPtr<CefBrowser> browser)
@@ -147,11 +165,12 @@ namespace CefSharp
                 }
             }
 
-            if (_jsBindingApiEnabled)
+            auto browserWrapper = FindBrowserWrapper(browser->GetIdentifier());
+
+            if (browserWrapper != nullptr && browserWrapper->JavascriptBindingApiEnabled && IsJavascriptBindingApiAllowed(browserWrapper, frame))
             {
                 //TODO: Look at adding some sort of javascript mapping layer to reduce the code duplication
                 auto global = context->GetGlobal();
-                auto browserWrapper = FindBrowserWrapper(browser->GetIdentifier());
                 auto processId = System::Diagnostics::Process::GetCurrentProcess()->Id;
 
                 //TODO: JSB: Split functions into their own classes
@@ -328,6 +347,51 @@ namespace CefSharp
             return rootObject;
         }
 
+        bool CefAppUnmanagedWrapper::IsJavascriptBindingApiAllowed(CefBrowserWrapper^ browserWrapper, CefRefPtr<CefFrame> frame)
+        {
+            if (browserWrapper == nullptr || !browserWrapper->JavascriptBindingApiHasAllowOrigins)
+            {
+                return true;
+            }
+
+            auto allowOrigins = browserWrapper->JavascriptBindingApiAllowOrigins;
+            if (!allowOrigins.get())
+            {
+                return false;
+            }
+
+            auto frameUrl = frame->GetURL();
+
+            CefURLParts frameUrlParts;
+
+            if (CefParseURL(frameUrl, frameUrlParts))
+            {
+                auto originStr = frameUrlParts.origin.str;
+                auto originLen = frameUrlParts.origin.length;
+
+                if (originLen > 0 && originStr[originLen - 1] == L'/')
+                {
+                    originLen--;
+                }
+
+                auto frameUrlOrigin = CefString(originStr, originLen);
+
+                auto size = static_cast<int>(allowOrigins->GetSize());
+
+                for (int i = 0; i < size; i++)
+                {
+                    auto origin = allowOrigins->GetString(i);
+
+                    if (_wcsicmp(frameUrlOrigin.ToWString().c_str(), origin.ToWString().c_str()) == 0)
+                    {
+                        return true;
+                    }
+                }
+            }
+
+            return false;
+        }
+
         CefBrowserWrapper^ CefAppUnmanagedWrapper::FindBrowserWrapper(int browserId)
         {
             CefBrowserWrapper^ wrapper = nullptr;

CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.h

@@ -29,7 +29,6 @@ namespace CefSharp
             gcroot<ConcurrentDictionary<String^, JavascriptRootObjectWrapper^>^> _jsRootObjectWrappersByFrameId;
             bool _focusedNodeChangedEnabled;
             bool _legacyBindingEnabled;
-            bool _jsBindingApiEnabled = true;
 
             // The property names used to call bound objects
             CefString _jsBindingPropertyName;
@@ -39,6 +38,7 @@ namespace CefSharp
             gcroot<Dictionary<String^, JavascriptObject^>^> _javascriptObjects;
 
             gcroot<RegisterBoundObjectRegistry^> _registerBoundObjectRegistry;
+            bool IsJavascriptBindingApiAllowed(CefBrowserWrapper^ browserWrapper, CefRefPtr<CefFrame> frame);
 
         public:
             static const CefString kPromiseCreatorScript;

CefSharp.BrowserSubprocess.Core/CefBrowserWrapper.h

@@ -22,24 +22,31 @@ namespace CefSharp
 {
     namespace BrowserSubprocess
     {
-        // "Master class" for wrapping everything that the Cef Subprocess needs 
+        // "Master class" for wrapping everything that the Cef Subprocess needs
         // for ONE CefBrowser.
         public ref class CefBrowserWrapper
         {
         private:
             MCefRefPtr<CefBrowser> _cefBrowser;
+            MCefRefPtr<CefListValue> _javascriptBindingApiAllowOrigins;
 
         public:
             CefBrowserWrapper(const CefRefPtr<CefBrowser> &cefBrowser)
             {
                 _cefBrowser = cefBrowser.get();
                 BrowserId = cefBrowser->GetIdentifier();
                 IsPopup = cefBrowser->IsPopup();
+
+                JavascriptBindingApiEnabled = true;
+                JavascriptBindingApiHasAllowOrigins = false;
+                JavascriptBindingApiAllowOrigins = nullptr;
             }
 
             !CefBrowserWrapper()
             {
                 _cefBrowser = nullptr;
+
+                _javascriptBindingApiAllowOrigins = nullptr;
             }
 
             ~CefBrowserWrapper()
@@ -49,6 +56,13 @@ namespace CefSharp
 
             property int BrowserId;
             property bool IsPopup;
+            property bool JavascriptBindingApiEnabled;
+            property bool JavascriptBindingApiHasAllowOrigins;
+            property CefRefPtr<CefListValue> JavascriptBindingApiAllowOrigins
+            {
+                CefRefPtr<CefListValue> get() { return _javascriptBindingApiAllowOrigins.get(); }
+                void set(CefRefPtr<CefListValue> value) { _javascriptBindingApiAllowOrigins = value.get(); }
+            }
 
 #ifndef NETCOREAPP
             // This allows us to create the WCF proxies back to our parent process.

CefSharp.Core.Runtime/ManagedCefBrowserAdapter.cpp

@@ -84,6 +84,22 @@ namespace CefSharp
 
             extraInfo->SetBool("JavascriptBindingApiEnabled", objectRepositorySettings->JavascriptBindingApiEnabled);
 
+            auto hasJavascriptBindingApiAllowOrigins = objectRepositorySettings->HasJavascriptBindingApiAllowOrigins();
+
+            extraInfo->SetBool("JavascriptBindingApiHasAllowOrigins", hasJavascriptBindingApiAllowOrigins);
+
+            if (hasJavascriptBindingApiAllowOrigins)
+            {
+                auto allowOriginList = CefListValue::Create();
+
+                for (int i = 0; i < objectRepositorySettings->JavascriptBindingApiAllowOrigins->Length; i++)
+                {
+                    allowOriginList->SetString(i, StringUtils::ToNative(objectRepositorySettings->JavascriptBindingApiAllowOrigins[i]));
+                }
+
+                extraInfo->SetList("JavascriptBindingApiAllowOrigins", allowOriginList);
+            }
+
             CefRefPtr<CefRequestContext> requestCtx;
 
             if (requestContext != nullptr)