fix(webkitgtk): mark custom URI schemes as CORS-enabled#1725
Draft
sozenta wants to merge 1 commit into
Draft
Conversation
webkit2gtk 2.46 added a requirement that custom URI schemes registered via `webkit_web_context_register_uri_scheme()` must ALSO be in the CORS allow-list (`webkit_security_manager_register_uri_scheme_as_cors_enabled()`) for the host's handler to be invoked on top-level navigations. Previously wry only called `register_uri_scheme_as_secure()`. On webkit2gtk ≤ 2.44 (Ubuntu 22.04 / 24.04) this was sufficient. On webkit2gtk 2.46+ (Ubuntu 26.04, Fedora 40+, Arch rolling) webkit silently bypasses the handler and falls through to the default network loader. Symptom for Tauri apps: the bundled UI loaded via `tauri://localhost/` fails to render and the webview shows "Could not connect to localhost: Connection refused" because the request lands at `http://localhost:80/` where nothing's listening. The CORS-enable call is a no-op on older webkit2gtk so the patch is safe across versions. Verified end-to-end on Ubuntu 26.04 LTS aarch64 with webkit2gtk 2.52.0: before, custom-scheme load shows the connection-error page; after, the embedded UI loads correctly.
Contributor
Package Changes Through 855ee44There are 1 changes which include wry with minor Planned Package VersionsThe following package releases are the planned based on the context of changes in this pull request.
Add another change file through the GitHub UI by following this link. Read about change files or the docs at github.com/jbolda/covector |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
On Linux, the registered handler for a custom URI scheme is silently bypassed by webkit2gtk 2.46+ for top-level navigations unless the scheme is also marked CORS-enabled. Adds the missing `register_uri_scheme_as_cors_enabled()` call alongside the existing `register_uri_scheme_as_secure()`.
Why
webkit2gtk 2.46 tightened security around custom URI schemes. The scheme registration via `webkit_web_context_register_uri_scheme()` no longer dispatches the handler for top-level navigations unless the scheme is also in the CORS allow-list. Without it, webkit silently routes the request through the default network loader.
For a Tauri app loading the bundled UI via `tauri://localhost/index.html`, this means the request lands at `http://localhost:80/\` (with nothing listening) and the webview shows webkit's standard "Could not connect to localhost: Connection refused" error page — the entire app appears broken to the user.
The new call is a no-op on webkit2gtk ≤ 2.44 (Ubuntu 22.04 / 24.04) so the fix is safe to ship across versions.
Validation
Test plan
Notes
Draft until reviewers confirm + I respond to feedback.