Javascript Binding - Finalize JavascriptBindingApiAllowOrigins: Per-browser isolation and origin normalization

[luca-sonntag]

Fixes:
#5001

Summary:
This PR completes and optimizes the implementation of the JavascriptBindingApiAllowOrigins feature. The primary focus is shifting binding settings from a global state to a per-browser scope for better isolation and introducing robust origin normalization to ensure consistent security validation across different URL formats.

Changes:

• Per-Browser Settings Isolation:
  • Relocated JavaScript binding settings (JavascriptBindingApiEnabled, JavascriptBindingApiAllowOrigins, etc.) from the global CefAppUnmanagedWrapper to CefBrowserWrapper. This allows each browser instance to have its own independent list of allowed origins.
• Origin Normalization (C#):
  • Updated JavascriptBindingSettings.cs to automatically trim trailing slashes from strings added to the JavascriptBindingApiAllowOrigins list, preventing common configuration errors.
• Optimized C++ Validation Logic:
  • Centralized the security check into CefAppUnmanagedWrapper::IsJavascriptBindingApiAllowed.
  • Implemented normalization in the browser subprocess to strip trailing slashes from the frame origin string before comparison.
  • Switched to case-insensitive comparison (_wcsicmp) to align with standard origin matching behavior.
  • Integrated null checks for origin string pointers to improve stability.

How Has This Been Tested?

• Executed unit tests in CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs
• Verified that JavascriptBindingApiAllowOrigins correctly blocks or allows the cefSharp object based on the frame's URL.
• Confirmed that settings changed in one browser instance do not affect other instances (testing the move to CefBrowserWrapper).
• OS: Windows.

Screenshots (if appropriate): N/A

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Updated documentation

Checklist:

• Tested the code(if applicable)
• Commented my code
• Changed the documentation(if applicable)
• New files have a license disclaimer
• The formatting is consistent with the project (project supports .editorconfig)

Summary by CodeRabbit

• New Features

  • Origin-based access control for the JavaScript binding API, allowing bindings only for configured origins
  • Automatic trailing-slash normalization for consistent origin matching
  • New configuration properties to enable/disable the binding API and supply allowed origins

• Tests

  • Added tests covering allowed/blocked origins, empty-origin behavior, and trailing-slash handling

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaces a global JS-binding flag with per-browser settings, serializes allowed origins to browser extraInfo, and enforces origin checks during OnContextCreated to conditionally expose CefSharp/CefSharp JS binding objects. Tests and managed settings were added to configure and validate allowed origins.

Changes

Cohort / File(s)	Summary
Native browser subprocess changes CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp, CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.h	Added IsJavascriptBindingApiAllowed(CefRefPtr<CefFrame> frame) declaration and implementation; removed global _jsBindingApiEnabled; parse extraInfo in OnBrowserCreated to populate per-browser JS binding flags; gate binding setup in OnContextCreated using wrapper properties + origin check.
Browser wrapper state CefSharp.BrowserSubprocess.Core/CefBrowserWrapper.h	Added private MCefRefPtr<CefListValue> _javascriptBindingApiAllowOrigins; new public properties JavascriptBindingApiEnabled, JavascriptBindingApiHasAllowOrigins, JavascriptBindingApiAllowOrigins; initialize/clear these fields in ctor/dtor.
Managed settings & serialization CefSharp/JavascriptBinding/JavascriptBindingSettings.cs, CefSharp.Core.Runtime/ManagedCefBrowserAdapter.cpp	New managed property JavascriptBindingApiAllowOrigins with trimming normalization and helper HasJavascriptBindingApiAllowOrigins(); adapter serializes JavascriptBindingApiHasAllowOrigins and JavascriptBindingApiAllowOrigins into browser extraInfo during creation.
Tests CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs	Added tests for origin-based enabling/disabling: ShouldDisableJsBindingApiForOrigin, ShouldEnableJsBindingApiWhenOriginsListIsEmpty, ShouldEnableJsBindingApiForOriginWithOrWithoutTrailingSlash, ShouldEnableJsBindingApiForOrigin; adjusted existing test to await initial load before assertions.

Sequence Diagram(s)

sequenceDiagram
    participant App as Application
    participant MBA as ManagedCefBrowserAdapter
    participant BI as BrowserInit (native)
    participant CAW as CefAppUnmanagedWrapper
    participant BW as BrowserWrapper
    participant Frame as CefFrame / JavaScript

    App->>MBA: CreateBrowser(with JavascriptBindingSettings)
    MBA->>BI: include extraInfo.JavascriptBindingApiAllowOrigins
    BI->>CAW: OnBrowserCreated(extraInfo)
    CAW->>BW: Set JavascriptBindingApiEnabled/HasAllowOrigins/AllowOrigins

    Frame->>CAW: OnContextCreated(frame)
    CAW->>BW: Read wrapper.JavascriptBindingApiEnabled
    alt Enabled
        CAW->>CAW: IsJavascriptBindingApiAllowed(frame)
        CAW->>Frame: Parse frame.GetURL() origin & normalize
        CAW->>BW: Compare origin against wrapper.JavascriptBindingApiAllowOrigins
        alt Origin allowed or no origins configured
            CAW->>Frame: Inject cefSharp / CefSharp binding objects
        else Not allowed
            CAW->>Frame: Skip binding injection
        end
    else Disabled
        CAW->>Frame: Skip binding injection
    end

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly Related PRs

• Core - Rewrite RenderProcess to avoid using OnBrowserDestroyed for JS eval #5197 — Modifies CefAppUnmanagedWrapper and CefBrowserWrapper around JS binding/root object handling; closely related to the OnContextCreated / per-browser binding flow changes.

Poem

🐰 I hopped through frames and trimmed each trailing slash,
I kept the bindings safe from every stray cache.
Origins checked, the whitelist in place,
Only trusted domains may now embrace.
Hop, hop — secure bindings, steady and brash!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main changes: finalizing JavascriptBindingApiAllowOrigins with per-browser isolation and origin normalization, which matches the changeset.
Description check	✅ Passed	The description comprehensively covers all required template sections including fixes, summary, detailed changes, testing approach, and relevant checklists.
Linked Issues check	✅ Passed	The PR fully addresses #5001 by implementing origin-based access restrictions with per-browser isolation, origin normalization, and case-insensitive matching.
Out of Scope Changes check	✅ Passed	All changes are scoped to implementing the JavascriptBindingApiAllowOrigins feature; the ARM64 build workaround is noted as temporary and related to the build environment.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[AppVeyorBot]

❌ Build CefSharp 136.1.40-CI5434 failed (commit c7297af541 by @)

[luca-sonntag]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp`:
- Around line 348-370: The code currently checks browserWrapper and
JavascriptBindingApiHasAllowOrigins but then dereferences
browserWrapper->JavascriptBindingApiAllowOrigins (used with GetSize/GetAt) which
can be null; add a local smart-pointer/local reference like allowOrigins =
browserWrapper->JavascriptBindingApiAllowOrigins right after the existing flag
check, guard it with if (!allowOrigins.get()) { return false; } (fail closed)
and then replace subsequent direct uses of
browserWrapper->JavascriptBindingApiAllowOrigins with allowOrigins when calling
GetSize/GetAt; keep the existing frameUrl/frameUrlOrigin logic intact.
- Around line 103-113: The JS binding API flags are only being set when the
wrapper is created for non-popup browsers, leaving popup wrappers with defaults
(Enabled=true, HasAllowOrigins=false) which makes
IsJavascriptBindingApiAllowed() return true for popups; move the block that
reads and assigns wrapper->JavascriptBindingApiEnabled,
wrapper->JavascriptBindingApiHasAllowOrigins and the
wrapper->JavascriptBindingApiAllowOrigins population (the
extraInfo->GetBool/GetList logic) out of the if (!browser->IsPopup()) scope so
these settings are always applied to every CefAppUnmanagedWrapper instance,
ensuring IsJavascriptBindingApiAllowed() enforces configured restrictions for
popups as well.

In `@CefSharp/JavascriptBinding/JavascriptBindingSettings.cs`:
- Around line 52-57: The normalization currently calls origin.EndsWith(...)
inside the setter and will throw if any element of the incoming string[] value
is null; update the mapping used to populate javascriptBindingApiAllowOrigins so
it guards against null entries (e.g., map null to null or to an empty string) by
checking origin == null before calling EndsWith, and otherwise apply the
existing trimming logic; modify the conversion that uses Array.ConvertAll (the
lambda that references origin) to perform that null check to avoid
NullReferenceException.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9aeb5cb and 5d445bb.

📒 Files selected for processing (4)

• CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp
• CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.h
• CefSharp.BrowserSubprocess.Core/CefBrowserWrapper.h
• CefSharp/JavascriptBinding/JavascriptBindingSettings.cs

[AppVeyorBot]

❌ Build CefSharp 136.1.40-CI5435 failed (commit e96399376a by @)

[AppVeyorBot]

❌ Build CefSharp 136.1.40-CI5436 failed (commit 3067020ea6 by @)

[AppVeyorBot]

✅ Build CefSharp 136.1.40-CI5437 completed (commit a0289d8427 by @)

[luca-sonntag]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp (1)

351-401: Well-structured origin validation with fail-closed security defaults.

The implementation correctly:

• Falls back to permissive behavior when no allow-origins are configured (backward compatibility)
• Fails closed when allow-origins are expected but the list is null (lines 360-364)
• Normalizes origins by removing trailing slashes before comparison
• Uses case-insensitive comparison for origin matching
• Fails closed when URL parsing fails or no match is found

One optional defensive improvement: consider adding a null check for originStr at line 375 before dereferencing, in case CEF returns inconsistent length/pointer data:

🛡️ Optional defensive fix

                 auto originStr = frameUrlParts.origin.str;
                 auto originLen = frameUrlParts.origin.length;

-                if (originLen > 0 && originStr[originLen - 1] == L'/')
+                if (originStr != nullptr && originLen > 0 && originStr[originLen - 1] == L'/')
                 {
                     originLen--;
                 }
+
+                if (originStr == nullptr)
+                {
+                    return false;
+                }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp` around lines 351
- 401, The method IsJavascriptBindingApiAllowed should defensively verify that
frameUrlParts.origin.str is not null before dereferencing it; update the logic
in IsJavascriptBindingApiAllowed (around the use of frameUrlParts.origin.str and
originLen) to check that originStr != nullptr prior to accessing
originStr[originLen - 1] or constructing CefString, and if originStr is null
treat it as a parse failure (return false) so we maintain the fail-closed
behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp`:
- Around line 351-401: The method IsJavascriptBindingApiAllowed should
defensively verify that frameUrlParts.origin.str is not null before
dereferencing it; update the logic in IsJavascriptBindingApiAllowed (around the
use of frameUrlParts.origin.str and originLen) to check that originStr !=
nullptr prior to accessing originStr[originLen - 1] or constructing CefString,
and if originStr is null treat it as a parse failure (return false) so we
maintain the fail-closed behavior.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d445bb and 6cd5871.

📒 Files selected for processing (4)

• CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp
• CefSharp.BrowserSubprocess.Core/Stdafx.h
• CefSharp.Core.Runtime/Stdafx.h
• CefSharp/JavascriptBinding/JavascriptBindingSettings.cs

[luca-sonntag]

@amaitland I’ve reviewed your comments on PR #5085 and implemented the remaining changes in this PR. I wasn’t sure what the usual process is for finalizing open PRs, so I targeted your branch for these updates.

There were problems with the build. The AppVeyor 'Visual Studio 2019' image update introduced Windows SDK 10.0.26100.0, which contains a bug in winnt.h where _CountOneBits64 is called without being defined for the ARM64 v142 toolchain. This caused the build to fail. I’ve added a temporary workaround in commit “Fix ARM64 build error C3861 in winnt.h (Windows SDK 10.0.26100.0)”. Since the master branch already uses Visual Studio 2022 by default on the build machine, this commit should no longer be necessary there and can be removed once everything is fully on VS 2022.

[amaitland]

@luca-sonntag Thanks for the PR. As my branch is out of date, can you target directly against master and rebase so it's up to date please.

My two commits can probably be squashed into a single commit.

[amaitland]

Since the master branch already uses Visual Studio 2022 by default on the build machine, this commit should no longer be necessary there and can be removed once everything is fully on VS 2022.

Once you've rebased on master then please revert the unnecessary changes. Thanks

[amaitland]

Additional tests will also need to be written. #5085 (comment)

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp (1)

67-70: ⚠️ Potential issue | 🔴 Critical

Popups bypass JavaScript binding origin restrictions.

At line 67, OnBrowserCreated returns early for popups (null extraInfo), leaving JavascriptBindingApiEnabled=true and JavascriptBindingApiHasAllowOrigins=false. This causes IsJavascriptBindingApiAllowed() to return true regardless of origin, allowing unrestricted JavaScript binding API access in popup windows. The code acknowledges "Popups don't send this information" (line 72-73) but provides no rationale or enforcement of parent browser's binding restrictions.

Either populate popup extraInfo with inherited binding keys from the parent browser (lines 85-100 in ManagedCefBrowserAdapter show the required keys), or implement and document explicit popup-specific binding policy.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp` around lines 67 -
70, OnBrowserCreated currently returns early when extraInfo is null, leaving
JavascriptBindingApiEnabled true and JavascriptBindingApiHasAllowOrigins false
which lets popups bypass origin checks; update OnBrowserCreated (and related
popup handling) to either inherit the parent's binding metadata into the popup's
extraInfo (copy the same binding keys that ManagedCefBrowserAdapter expects so
popups get the parent's allowed origins/keys) or enforce an explicit
popup-specific policy by setting JavascriptBindingApiEnabled=false or populating
JavascriptBindingApiHasAllowOrigins and allowed-origins before returning; ensure
IsJavascriptBindingApiAllowed consults the inherited/populated values so popup
windows are subject to the same origin restrictions as their parent.

🧹 Nitpick comments (1)

CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs (1)

133-242: Consider adding popup-specific allow-origin tests to lock this security path.

The new tests cover main-frame origin behavior well, but popup enforcement is also part of this change set. A window.open(...) scenario would reduce regression risk.

If helpful, I can draft a focused popup test case pattern for this suite.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs` around lines 133 -
242, Add popup-specific tests mirroring the existing origin tests (e.g.
ShouldDisableJsBindingApiForOrigin, ShouldEnableJsBindingApiForOrigin,
ShouldEnableJsBindingApiWhenOriginsListIsEmpty) that open a popup via
window.open(...) from the initial page and then evaluate the same checks inside
the popup; specifically, use ChromiumWebBrowser with
automaticallyCreateBrowser:false, call browser.CreateBrowser(),
WaitForInitialLoadAsync(), then EvaluateScriptAsync("window.open('...')") to
open the popup and obtain a reference/URL for the new window, wait for that
popup to finish loading, and assert typeof window.cefSharp / typeof
window.CefSharp in the popup matches the expected allowed-or-not result for the
configured JavascriptBindingApiAllowOrigins; place these new tests in
JavascriptBindingTests.cs alongside the existing Theory/Fact tests and reuse the
same setup (JavascriptObjectRepository.Settings, JavascriptBindingApiEnabled,
JavascriptBindingApiAllowOrigins) to ensure popup origin enforcement is covered.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs`:
- Around line 175-176: The test awaits browser.WaitForInitialLoadAsync() but
doesn't verify the result; after each call that assigns the result to
loadResponse (the awaited value from WaitForInitialLoadAsync in
JavascriptBindingTests), add Assert.True(loadResponse.Success) to assert the
initial load succeeded (repeat for the occurrences that currently await but lack
an assertion).

---

Outside diff comments:
In `@CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp`:
- Around line 67-70: OnBrowserCreated currently returns early when extraInfo is
null, leaving JavascriptBindingApiEnabled true and
JavascriptBindingApiHasAllowOrigins false which lets popups bypass origin
checks; update OnBrowserCreated (and related popup handling) to either inherit
the parent's binding metadata into the popup's extraInfo (copy the same binding
keys that ManagedCefBrowserAdapter expects so popups get the parent's allowed
origins/keys) or enforce an explicit popup-specific policy by setting
JavascriptBindingApiEnabled=false or populating
JavascriptBindingApiHasAllowOrigins and allowed-origins before returning; ensure
IsJavascriptBindingApiAllowed consults the inherited/populated values so popup
windows are subject to the same origin restrictions as their parent.

---

Nitpick comments:
In `@CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs`:
- Around line 133-242: Add popup-specific tests mirroring the existing origin
tests (e.g. ShouldDisableJsBindingApiForOrigin,
ShouldEnableJsBindingApiForOrigin,
ShouldEnableJsBindingApiWhenOriginsListIsEmpty) that open a popup via
window.open(...) from the initial page and then evaluate the same checks inside
the popup; specifically, use ChromiumWebBrowser with
automaticallyCreateBrowser:false, call browser.CreateBrowser(),
WaitForInitialLoadAsync(), then EvaluateScriptAsync("window.open('...')") to
open the popup and obtain a reference/URL for the new window, wait for that
popup to finish loading, and assert typeof window.cefSharp / typeof
window.CefSharp in the popup matches the expected allowed-or-not result for the
configured JavascriptBindingApiAllowOrigins; place these new tests in
JavascriptBindingTests.cs alongside the existing Theory/Fact tests and reuse the
same setup (JavascriptObjectRepository.Settings, JavascriptBindingApiEnabled,
JavascriptBindingApiAllowOrigins) to ensure popup origin enforcement is covered.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6cd5871 and 6cefcea.

📒 Files selected for processing (6)

• CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.cpp
• CefSharp.BrowserSubprocess.Core/CefAppUnmanagedWrapper.h
• CefSharp.BrowserSubprocess.Core/CefBrowserWrapper.h
• CefSharp.Core.Runtime/ManagedCefBrowserAdapter.cpp
• CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs
• CefSharp/JavascriptBinding/JavascriptBindingSettings.cs

[AppVeyorBot]

✅ Build CefSharp 145.0.260-CI5438 completed (commit ab5e7166dd by @)

[coderabbitai]

🧹 Nitpick comments (1)

CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs (1)

218-248: Consider adding case-insensitive origin matching test coverage.

The test correctly validates that binding is enabled when a matching origin exists at various positions in the allow list. However, the PR implements case-insensitive comparison using _wcsicmp, but there's no test validating this behavior (e.g., matching "HTTPS://CEFSHARP.EXAMPLE" against a lowercase origin).

Also, minor style nit: missing blank line between line 217 and the [Theory] attribute at line 218 for consistency with other test methods.

🧪 Suggested additional test case for case-insensitive matching

[Fact]
public async Task ShouldEnableJsBindingApiForOriginCaseInsensitive()
{
    using (var browser = new ChromiumWebBrowser(CefExample.BindingApiCustomObjectNameTestUrl, automaticallyCreateBrowser: false))
    {
        var settings = browser.JavascriptObjectRepository.Settings;
        settings.JavascriptBindingApiEnabled = true;
        // Use different casing than the actual origin
        settings.JavascriptBindingApiAllowOrigins = new string[] { "HTTPS://CEFSHARP.EXAMPLE" };

        browser.CreateBrowser();

        var loadResponse = await browser.WaitForInitialLoadAsync();

        Assert.True(loadResponse.Success);

        var response = await browser.EvaluateScriptAsync("typeof window.cefSharp === 'undefined'");

        Assert.True(response.Success);
        Assert.False((bool)response.Result); // Should be enabled due to case-insensitive match
    }
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs` around lines 218 -
248, Add a new test that verifies case-insensitive origin matching: create a
test (e.g., ShouldEnableJsBindingApiForOriginCaseInsensitive) that mirrors
ShouldEnableJsBindingApiForOrigin but sets
settings.JavascriptBindingApiAllowOrigins to a differently-cased origin (for
example "HTTPS://CEFSHARP.EXAMPLE"), enables
settings.JavascriptBindingApiEnabled, calls browser.CreateBrowser(), waits for
load with WaitForInitialLoadAsync, and asserts the CefSharp binding exists via
EvaluateScriptAsync; this will validate the _wcsicmp-based case-insensitive
comparison. Also add the missing blank line before the existing [Theory]
attribute to match style/consistency.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs`:
- Around line 218-248: Add a new test that verifies case-insensitive origin
matching: create a test (e.g., ShouldEnableJsBindingApiForOriginCaseInsensitive)
that mirrors ShouldEnableJsBindingApiForOrigin but sets
settings.JavascriptBindingApiAllowOrigins to a differently-cased origin (for
example "HTTPS://CEFSHARP.EXAMPLE"), enables
settings.JavascriptBindingApiEnabled, calls browser.CreateBrowser(), waits for
load with WaitForInitialLoadAsync, and asserts the CefSharp binding exists via
EvaluateScriptAsync; this will validate the _wcsicmp-based case-insensitive
comparison. Also add the missing blank line before the existing [Theory]
attribute to match style/consistency.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6cefcea and b54d60f.

📒 Files selected for processing (1)

• CefSharp.Test/JavascriptBinding/JavascriptBindingTests.cs