Skip to content

fix: grant media permissions to fix call crashes#2331

Open
IsmaelMartinez wants to merge 4 commits intomainfrom
worktree-woolly-squishing-toast
Open

fix: grant media permissions to fix call crashes#2331
IsmaelMartinez wants to merge 4 commits intomainfrom
worktree-woolly-squishing-toast

Conversation

@IsmaelMartinez
Copy link
Owner

@IsmaelMartinez IsmaelMartinez commented Mar 13, 2026

Summary

  • Adds setPermissionRequestHandler to explicitly grant camera, microphone, and display-capture permission requests. Without this, Electron may block or prompt for media access, causing Teams' calling module to fail during initialisation.
  • Adds setPermissionCheckHandler for trusted Teams origins so synchronous permission checks return the correct state.
  • Overrides navigator.permissions.query() in the preload script to report 'granted' for media permissions. This covers a gap where Electron's native handler may not fully map to the renderer's Permissions API, depending on the Chromium version bundled with Electron.

These three layers together ensure Teams' calling component sees granted permissions at every point it checks during _getInitialState, which is where the crash occurs before WebRTC negotiation even begins.

Supersedes #2289. Addresses #2221.

Test plan

  • Verify calls work on X11
  • Verify calls work on Wayland (both native and XWayland)
  • Verify screen sharing still works
  • Verify notifications still work
  • Verify camera and microphone are accessible during calls

🤖 Generated with Claude Code

@IsmaelMartinez @claude
fix: grant media permissions at all layers to fix call crashes (#2221)
480edb4 
Teams' calling component crashes during _getInitialState because
Electron does not grant media permissions by default. This adds
permission handling at three layers:

1. setPermissionRequestHandler - grants camera/microphone/display-capture
   requests so Teams can access devices without a prompt dialog
2. setPermissionCheckHandler - returns true for trusted Teams origins so
   navigator.permissions.query() reports the correct state
3. Preload permissions.query() override - directly patches the renderer
   Permissions API to report 'granted' for media, covering Chromium
   version differences in how the native handler maps to the JS API

Supersedes #2289.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Contributor

github-actions bot commented Mar 13, 2026

✅ Changelog entry generated and committed to this PR:

Fix: Grant media permissions to prevent call crashes in Teams - by @IsmaelMartinez (#2331)

The file .changelog/pr-2331.txt will be included when you merge this PR.

You can edit it directly in this PR if needed.

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Mar 13, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves an issue causing Teams' calling module to crash during initialization by implementing a multi-layered approach to ensure media permissions (camera, microphone, display-capture) are consistently granted within the Electron environment. It prevents permission-related failures that arise from Electron's default behavior or Chromium version inconsistencies, thereby stabilizing the calling experience.

Highlights

  • Explicit Permission Granting: Implemented setPermissionRequestHandler to explicitly grant camera, microphone, and display-capture permissions, preventing Electron from blocking or prompting for media access during Teams' calling module initialization.
  • Synchronous Permission Checks: Added setPermissionCheckHandler for trusted Teams origins to ensure synchronous permission checks correctly report a granted state, crucial for the calling module's initialization.
  • Renderer Permissions API Override: Overrode navigator.permissions.query() in the preload script to consistently report 'granted' for media permissions, addressing inconsistencies between Electron's native handler and the renderer's Permissions API.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • app/browser/preload.js
    • Overrode navigator.permissions.query() to always return 'granted' for specific media permissions.
  • app/mainAppWindow/index.js
    • Added session.setPermissionRequestHandler to explicitly grant media-related permissions.
    • Added session.setPermissionCheckHandler to grant permission checks for trusted Teams origins.
Activity
  • No human activity has been recorded on this pull request since its creation.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a comprehensive, multi-layered approach to grant media permissions, aiming to resolve call-related crashes. The changes in preload.js to override navigator.permissions.query and the use of setPermissionRequestHandler in mainAppWindow/index.js are well-implemented. However, I've identified a security vulnerability in the implementation of setPermissionCheckHandler where the origin check is not strict enough, potentially allowing malicious origins to be granted permissions. Please see my detailed comment.

@IsmaelMartinez IsmaelMartinez mentioned this pull request Mar 13, 2026
Closed
4 tasks
@github-actions
Copy link
Contributor

github-actions bot commented Mar 13, 2026
edited
Loading

📦 PR Build Artifacts

Build successful! Download artifacts:

🐧 Linux

x86_64 (434.04 MB) - Contains: .deb, .rpm, .tar.gz, .AppImage

arm64 (425.24 MB) - Contains: .deb, .rpm, .tar.gz, .AppImage

armv7l (403.29 MB) - Contains: .deb, .rpm, .tar.gz, .AppImage

🍎 macOS

x86_64 (124.84 MB) - Contains: .dmg

🪟 Windows

x86_64 (105.41 MB) - Contains: .exe installer

📝 Note: Snap packages (.snap) are built in a separate workflow

View workflow run

🕐 Last updated: 2026-03-13 07:41 UTC

@github-actions
Copy link
Contributor

github-actions bot commented Mar 13, 2026
edited
Loading

📦 PR Snap Build Artifacts

Snap builds successful! Download artifacts:

🐧 Linux Snap Packages

x86_64 (107.27 MB)

arm64 (104.18 MB)

armv7l (98.41 MB)

📝 Note: Other package formats (.deb, .rpm, .AppImage, .dmg, .exe) are built in the main workflow

View workflow run

IsmaelMartinez and others added 2 commits March 13, 2026 07:23
@IsmaelMartinez @claude
fix: use exact URL origin matching for permission check
ad29a1e 
Use URL parsing with exact match instead of startsWith to prevent
subdomain bypass (e.g. teams.microsoft.com.evil.com).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@IsmaelMartinez @claude
refactor: use Set for trustedOrigins lookup
31b91c4 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 13, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@IsmaelMartinez IsmaelMartinez mentioned this pull request Mar 13, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

2.7.x - Integration 2025
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@IsmaelMartinez