Electron: Incorrect origin passed to permission request handler for iframe requests
GHSA-r5p7-gp4j-qhrx · CVE-2026-34777
Published · Modified
Description
Impact
When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.
The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.
Workarounds
In your setPermissionRequestHandler, inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Ready to move
Start Securing
Free, no credit card | First findings in minutes