Skip to content

fix: validate response header names and values before AddHeader#50123

Merged
MarshallOfSound merged 1 commit intomainfrom
sam/response-header-validation
Mar 8, 2026
Merged

fix: validate response header names and values before AddHeader#50123
MarshallOfSound merged 1 commit intomainfrom
sam/response-header-validation

Conversation

@MarshallOfSound
Copy link
Copy Markdown
Member

@MarshallOfSound MarshallOfSound commented Mar 8, 2026

Adds net::HttpUtil::IsValidHeaderName/IsValidHeaderValue checks before calling HttpResponseHeaders::AddHeader in:

  • ToResponseHead (custom protocol handler response headers) — invalid headers are dropped
  • Converter<HttpResponseHeaders*>::FromV8 (webRequest.onHeadersReceived) — conversion fails on invalid input

This matches the existing validation already applied to request headers in electron_api_url_loader.cc.

Notes: Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected.

@MarshallOfSound
fix: validate response header names and values before AddHeader
3fa4ca5 
Matches the existing validation applied to request headers in
electron_api_url_loader.cc.
@MarshallOfSound MarshallOfSound added semver/patch backwards-compatible bug fixes target/38-x-y PR should also be added to the "38-x-y" branch. target/39-x-y PR should also be added to the "39-x-y" branch. target/40-x-y PR should also be added to the "40-x-y" branch. target/41-x-y PR should also be added to the "41-x-y" branch. labels Mar 8, 2026
@electron-cation electron-cation bot added the new-pr 🌱 PR opened recently label Mar 8, 2026
@MarshallOfSound MarshallOfSound merged commit 9b78d75 into main Mar 8, 2026
82 checks passed
@MarshallOfSound MarshallOfSound deleted the sam/response-header-validation branch March 8, 2026 22:40
@release-clerk
Copy link
Copy Markdown

release-clerk bot commented Mar 8, 2026

Release Notes Persisted

Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected.

This was referenced Mar 8, 2026
Merged
Merged
@trop
Copy link
Copy Markdown
Contributor

trop bot commented Mar 8, 2026

I have automatically backported this PR to "39-x-y", please check out #50129

@trop trop bot mentioned this pull request Mar 8, 2026
Merged
@trop
Copy link
Copy Markdown
Contributor

trop bot commented Mar 8, 2026

I have automatically backported this PR to "38-x-y", please check out #50130

@trop trop bot added in-flight/39-x-y in-flight/38-x-y and removed target/39-x-y PR should also be added to the "39-x-y" branch. labels Mar 8, 2026
@trop
Copy link
Copy Markdown
Contributor

trop bot commented Mar 8, 2026

I have automatically backported this PR to "40-x-y", please check out #50131

@trop trop bot added in-flight/40-x-y and removed target/38-x-y PR should also be added to the "38-x-y" branch. target/40-x-y PR should also be added to the "40-x-y" branch. labels Mar 8, 2026
@trop trop bot mentioned this pull request Mar 8, 2026
Merged
@trop
Copy link
Copy Markdown
Contributor

trop bot commented Mar 8, 2026

I have automatically backported this PR to "41-x-y", please check out #50132

@trop trop bot added in-flight/41-x-y merged/40-x-y PR was merged to the "40-x-y" branch. and removed target/41-x-y PR should also be added to the "41-x-y" branch. in-flight/40-x-y in-flight/41-x-y labels Mar 8, 2026
@trop trop bot added merged/41-x-y PR was merged to the "41-x-y" branch. merged/39-x-y PR was merged to the "39-x-y" branch. merged/38-x-y PR was merged to the "38-x-y" branch. and removed in-flight/39-x-y in-flight/38-x-y labels Mar 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codebytere codebytere codebytere approved these changes

Assignees

No one assigned

Labels

merged/38-x-y PR was merged to the "38-x-y" branch. merged/39-x-y PR was merged to the "39-x-y" branch. merged/40-x-y PR was merged to the "40-x-y" branch. merged/41-x-y PR was merged to the "41-x-y" branch. new-pr 🌱 PR opened recently semver/patch backwards-compatible bug fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MarshallOfSound @codebytere