fix(core): IPC remote domain check bypassed by isolation iframe usage (#6691)

core/tauri/src/manager.rs

@@ -1154,9 +1154,20 @@ impl<R: Runtime> WindowManager<R> {
       }
     }
 
+    #[cfg(feature = "isolation")]
+    let pattern = self.pattern().clone();
     let current_url_ = pending.current_url.clone();
     let navigation_handler = pending.navigation_handler.take();
     pending.navigation_handler = Some(Box::new(move |url| {
+      // always allow navigation events for the isolation iframe and do not emit them for consumers
+      #[cfg(feature = "isolation")]
+      if let Pattern::Isolation { schema, .. } = &pattern {
+        if url.scheme() == schema
+          && url.domain() == Some(crate::pattern::ISOLATION_IFRAME_SRC_DOMAIN)
+        {
+          return true;
+        }
+      }
       *current_url_.lock().unwrap() = url.clone();
       if let Some(handler) = &navigation_handler {
         handler(url)

core/tauri/src/pattern.rs

@@ -15,7 +15,7 @@ use tauri_utils::assets::{Assets, EmbeddedAssets};
 pub const ISOLATION_IFRAME_SRC_DOMAIN: &str = "localhost";
 
 /// An application pattern.
-#[derive(Debug, Clone)]
+#[derive(Debug)]
 pub enum Pattern<A: Assets = EmbeddedAssets> {
   /// The brownfield pattern.
   Brownfield(PhantomData<A>),
@@ -38,6 +38,26 @@ pub enum Pattern<A: Assets = EmbeddedAssets> {
   },
 }
 
+impl<A: Assets> Clone for Pattern<A> {
+  fn clone(&self) -> Self {
+    match self {
+      Self::Brownfield(a) => Self::Brownfield(*a),
+      #[cfg(feature = "isolation")]
+      Self::Isolation {
+        assets,
+        schema,
+        key,
+        crypto_keys,
+      } => Self::Isolation {
+        assets: assets.clone(),
+        schema: schema.clone(),
+        key: key.clone(),
+        crypto_keys: crypto_keys.clone(),
+      },
+    }
+  }
+}
+
 /// The shape of the JavaScript Pattern config
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "lowercase", tag = "pattern")]