Electron Releases

Back to PR Lookup
GitHubView on GitHub
MarshallOfSound

#50123: fix: validate response header names and values before AddHeader

Merged
MarshallOfSound
Created: Mar 8, 2026, 3:08:29 AM
Merged: Mar 8, 2026, 5:40:48 PM
5 comments
Target: main

Adds net::HttpUtil::IsValidHeaderName/IsValidHeaderValue checks before calling HttpResponseHeaders::AddHeader in:

  • ToResponseHead (custom protocol handler response headers) — invalid headers are dropped
  • Converter<HttpResponseHeaders*>::FromV8 (webRequest.onHeadersReceived) — conversion fails on invalid input

This matches the existing validation already applied to request headers in electron_api_url_loader.cc.

Notes: Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected.

Backports

38-x-y
Merged
PR Number
#50130
Merged At
Mar 9, 2026, 11:16:52 AM
Released In
v38.8.6
Release Date
Mar 10, 2026, 10:36:31 AM
39-x-y
Merged
PR Number
#50129
Merged At
Mar 9, 2026, 10:40:52 AM
Released In
Not yet
Release Date
Not yet
40-x-y
Merged
PR Number
#50131
Merged At
Mar 9, 2026, 5:36:35 AM
Released In
Not yet
Release Date
Not yet
41-x-y
Merged
PR Number
#50132
Merged At
Mar 9, 2026, 6:34:05 AM
Released In
Not yet
Release Date
Not yet

Semver Impact

Major
Breaking changes
Minor
New features
Patch
Bug fixes
None
Docs, tests, etc.

Semantic Versioning helps users understand the impact of updates:

  • Major (X.y.z): Breaking changes that may require code modifications
  • Minor (x.Y.z): New features that maintain backward compatibility
  • Patch (x.y.Z): Bug fixes that don't change the API
  • None: Changes that don't affect using facing parts of Electron