[java] Adding remote-allow-origins argument only when the Java 11 htt…

…p client is not used.

Fixes #11949

java/src/org/openqa/selenium/chrome/ChromeDriverInfo.java

@@ -45,14 +45,17 @@ public String getDisplayName() {
 
  @Override
  public Capabilities getCanonicalCapabilities() {
- // Allowing any origin "*" through remote-allow-origins might sound risky but an attacker
- // would need to know the port used to start DevTools to establish a connection. Given
- // these sessions are relatively short-lived, the risk is reduced. Also, this will be
- // removed when we only support Java 11 and above.
- return new ImmutableCapabilities(
- CapabilityType.BROWSER_NAME, CHROME.browserName(),
- ChromeOptions.CAPABILITY,
- ImmutableMap.of("args", ImmutableList.of("--remote-allow-origins=*")));
+ if (!"jdk-http-client".equalsIgnoreCase(System.getProperty("webdriver.http.factory", ""))) {
+ // Allowing any origin "*" through remote-allow-origins might sound risky but an attacker
+ // would need to know the port used to start DevTools to establish a connection. Given
+ // these sessions are relatively short-lived, the risk is reduced. Only set when the Java
+ // 11 client is not used.
+ return new ImmutableCapabilities(
+ CapabilityType.BROWSER_NAME, CHROME.browserName(),
+ ChromeOptions.CAPABILITY,
+ ImmutableMap.of("args", ImmutableList.of("--remote-allow-origins=*")));
+ }
+ return new ImmutableCapabilities(CapabilityType.BROWSER_NAME, CHROME.browserName());
  }
 
  @Override

java/src/org/openqa/selenium/chromium/ChromiumOptions.java

@@ -75,11 +75,13 @@ public class ChromiumOptions<T extends ChromiumOptions<?>> extends AbstractDrive
  public ChromiumOptions(String capabilityType, String browserType, String capability) {
  this.capabilityName = capability;
  setCapability(capabilityType, browserType);
- // Allowing any origin "*" might sound risky but an attacker would need to know
- // the port used to start DevTools to establish a connection. Given these sessions
- // are relatively short-lived, the risk is reduced. Also, this will be removed when
- // we only support Java 11 and above.
- addArguments("--remote-allow-origins=*");
+ if (!"jdk-http-client".equalsIgnoreCase(System.getProperty("webdriver.http.factory", ""))) {
+ // Allowing any origin "*" might sound risky but an attacker would need to know
+ // the port used to start DevTools to establish a connection. Given these sessions
+ // are relatively short-lived, the risk is reduced. Only set when the Java 11 client
+ // is not used.
+ addArguments("--remote-allow-origins=*");
+ }
  }
 
  /**

java/src/org/openqa/selenium/edge/EdgeDriverInfo.java

@@ -44,14 +44,17 @@ public String getDisplayName() {
 
  @Override
  public Capabilities getCanonicalCapabilities() {
- // Allowing any origin "*" through remote-allow-origins might sound risky but an attacker
- // would need to know the port used to start DevTools to establish a connection. Given
- // these sessions are relatively short-lived, the risk is reduced. Also, this will be
- // removed when we only support Java 11 and above.
- return new ImmutableCapabilities(
- CapabilityType.BROWSER_NAME, EDGE.browserName(),
- EdgeOptions.CAPABILITY,
- ImmutableMap.of("args", ImmutableList.of("--remote-allow-origins=*")));
+ if (!"jdk-http-client".equalsIgnoreCase(System.getProperty("webdriver.http.factory", ""))) {
+ // Allowing any origin "*" through remote-allow-origins might sound risky but an attacker
+ // would need to know the port used to start DevTools to establish a connection. Given
+ // these sessions are relatively short-lived, the risk is reduced. Only set when the Java
+ // 11 client is not used.
+ return new ImmutableCapabilities(
+ CapabilityType.BROWSER_NAME, EDGE.browserName(),
+ EdgeOptions.CAPABILITY,
+ ImmutableMap.of("args", ImmutableList.of("--remote-allow-origins=*")));
+ }
+ return new ImmutableCapabilities(CapabilityType.BROWSER_NAME, EDGE.browserName());
  }
 
  @Override