Skip to content

Favicon data: URL crashes network service in OSR mode (CorsURLLoaderFactory rejects data: scheme) #4121

New issue
New issue
Open
Open
Favicon data: URL crashes network service in OSR mode (CorsURLLoaderFactory rejects data: scheme)#4121
@jaypaulb

Description

@jaypaulb
jaypaulb
opened on Mar 11, 2026

CEF Version

142.0.17

OS

Linux (Ubuntu 24.04), x86_64

Description

When a web page dynamically sets a favicon <link> element's href to a data: URL (e.g. data:;base64,iVBORw0KGgo=), CEF's network service crashes with a FATAL error. This happens in off-screen rendering (windowless) mode.

The crash occurs because the favicon URL change triggers a resource fetch that gets routed through the network service's CorsURLLoaderFactory, which unconditionally rejects data: scheme URLs via mojo::ReportBadMessage() at cors_url_loader_factory.cc:637.

In a standard Chrome browser, data: URLs set as favicon hrefs are resolved inline by the renderer and never reach the network service. In CEF's OSR mode, they appear to be routed through the network stack instead.

Steps to Reproduce

  1. Initialize CEF with windowless_rendering_enabled = true
  2. Load a page that dynamically sets a favicon to a data: URL: 
    <link rel="icon" href="data:;base64,iVBORw0KGgo=">
    Or via JavaScript: 
    document.querySelector('link[rel="icon"]').setAttribute("href", "data:;base64,iVBORw0KGgo=");
  3. Network service crashes with: 
    FATAL:services/network/network_service.cc:253] Received bad user message: CorsURLLoaderFactory: data: URL is not supported.
  4. Network service restarts, crash repeats on subsequent favicon loads, eventually destabilizing the process

Real-world trigger

Azure AD B2C login pages (*.b2clogin.com) set favicon hrefs to data: URLs as a defensive measure in their $cors initialization function. This makes all Azure B2C auth flows unusable in CEF.

Crash log excerpt

[FATAL:services/network/network_service.cc:253] Received bad user message: CorsURLLoaderFactory: data: URL is not supported. #17 network::cors::CorsURLLoaderFactory::IsValidRequest() [cors_url_loader_factory.cc:637:7] #18 network::cors::CorsURLLoaderFactory::CreateLoaderAndStart() [cors_url_loader_factory.cc:385:8] request_url = "data:;base64,iVBORw0KGgo=" [ERROR:content/browser/network_service_instance_impl.cc:613] Network service crashed, restarting service.

Expected behavior

data: URLs in favicon <link> elements should be resolved inline by the renderer, not routed through the network service.

Related Chromium commit

https://chromium.googlesource.com/chromium/src/+/363b949f — added the data: URL rejection as a safety net for exactly this class of bug (data: URLs leaking from Blink to the network service).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions