From abc499ec494de3a5846485f5ba87557ed818e6e4 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 10 Apr 2026 19:44:53 +0100 Subject: [PATCH] fix: preserve cdp guarded fetch dispatchers --- extensions/browser/src/browser/cdp.helpers.ts | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/extensions/browser/src/browser/cdp.helpers.ts b/extensions/browser/src/browser/cdp.helpers.ts index 14cd74908f0..6baa214e55f 100644 --- a/extensions/browser/src/browser/cdp.helpers.ts +++ b/extensions/browser/src/browser/cdp.helpers.ts @@ -251,17 +251,16 @@ export async function fetchCdpChecked( // Block redirects on all CDP HTTP paths (not just probes) because a // redirect to an internal host is an SSRF vector regardless of whether // the call is /json/version, /json/list, /json/activate, or /json/close. - const currentFetch = globalThis.fetch; - const guarded = await fetchWithSsrFGuard({ - url, - fetchImpl: async (input, guardedInit) => - await withNoProxyForCdpUrl(url, () => currentFetch(input, guardedInit)), - init: { ...init, headers }, - maxRedirects: 0, - policy: { allowPrivateNetwork: true }, - signal: ctrl.signal, - auditContext: "browser-cdp", - }); + const guarded = await withNoProxyForCdpUrl(url, () => + fetchWithSsrFGuard({ + url, + init: { ...init, headers }, + maxRedirects: 0, + policy: { allowPrivateNetwork: true }, + signal: ctrl.signal, + auditContext: "browser-cdp", + }), + ); release = guarded.release; const res = guarded.response; if (res.status >= 300 && res.status < 400) { @@ -274,6 +273,9 @@ export async function fetchCdpChecked( } throw new Error(`HTTP ${res.status}`); } + if (typeof res.arrayBuffer !== "function") { + return res; + } const body = await res.arrayBuffer(); return new Response(body, { headers: res.headers,