Javascript Binding - Finalize JavascriptBindingApiAllowOrigins: Per-browser isolation and origin normalization

[luca-sonntag]

Fixes:
#5001

Summary:
This PR completes and optimizes the implementation of the JavascriptBindingApiAllowOrigins feature. The primary focus is shifting binding settings from a global state to a per-browser scope for better isolation and introducing robust origin normalization to ensure consistent security validation across different URL formats.

Changes:

• Per-Browser Settings Isolation:
  • Relocated JavaScript binding settings (JavascriptBindingApiEnabled, JavascriptBindingApiAllowOrigins, etc.) from the global CefAppUnmanagedWrapper to CefBrowserWrapper. This allows each browser instance to have its own independent list of allowed origins.
• Origin Normalization (C#):
  • Updated JavascriptBindingSettings.cs to automatically trim trailing slashes from strings added to the JavascriptBindingApiAllowOrigins list, preventing common configuration errors.
• Optimized C++ Validation Logic:
  • Centralized the security check into CefAppUnmanagedWrapper::IsJavascriptBindingApiAllowed.
  • Implemented normalization in the browser subprocess to strip trailing slashes from the frame origin string before comparison.
  • Switched to case-insensitive comparison (_wcsicmp) to align with standard origin matching behavior.
  • Integrated null checks for origin string pointers to improve stability.

How Has This Been Tested?

• Executed unit tests in CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs
• Verified that JavascriptBindingApiAllowOrigins correctly blocks or allows the cefSharp object based on the frame's URL.
• Confirmed that settings changed in one browser instance do not affect other instances (testing the move to CefBrowserWrapper).
• OS: Windows.

Screenshots (if appropriate): N/A

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Updated documentation

Checklist:

• Tested the code(if applicable)
• Commented my code
• Changed the documentation(if applicable)
• New files have a license disclaimer
• The formatting is consistent with the project (project supports .editorconfig)

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[AppVeyorBot]

❌ Build CefSharp 136.1.40-CI5434 failed (commit c7297af541 by @)