Electron Releases

Back to PR Lookup
GitHubView on GitHub
MarshallOfSound

#50118: fix: strictly validate sender for internal IPC reply channels

Merged
MarshallOfSound
Created: Mar 8, 2026, 12:10:43 AM
Merged: Mar 8, 2026, 5:39:05 PM
7 comments
Target: main

The sender-mismatch check in invokeInWebContents and invokeInWebFrameMain used a negative condition (type === 'frame' && sender !== expected), which only rejected mismatched frame senders and accepted anything else.

Invert to a positive check so only the exact expected frame can resolve the reply. This matches the guard style already used in lib/browser/rpc-server.ts and lib/browser/guest-view-manager.ts (if (event.type !== 'frame') return;).

Notes: none

Backports

38-x-y
Merged
PR Number
#50160
Merged At
Mar 10, 2026, 6:09:43 AM
Released In
v38.8.6
Release Date
Mar 10, 2026, 10:36:31 AM
39-x-y
Merged
PR Number
#50161
Merged At
Mar 9, 2026, 5:15:01 PM
Released In
Not yet
Release Date
Not yet
40-x-y
Merged
PR Number
#50125
Merged At
Mar 9, 2026, 5:36:48 AM
Released In
Not yet
Release Date
Not yet
41-x-y
Merged
PR Number
#50126
Merged At
Mar 9, 2026, 4:33:07 AM
Released In
Not yet
Release Date
Not yet

Semver Impact

Major
Breaking changes
Minor
New features
Patch
Bug fixes
None
Docs, tests, etc.

Semantic Versioning helps users understand the impact of updates:

  • Major (X.y.z): Breaking changes that may require code modifications
  • Minor (x.Y.z): New features that maintain backward compatibility
  • Patch (x.y.Z): Bug fixes that don't change the API
  • None: Changes that don't affect using facing parts of Electron