[bug] Application windows without URL (or "about:blank") are unable to load assets

[bra1n]

Describe the bug

Browsers can create "pictureInPicture" child windows for the current webpage that allow some part of the content to exist outside of the current browser tab. Google does this when you're in a meeting for example, and you switch to a different tab. This functionality has been supported on modern browser for a while and recently, Tauri tightened security around these windows (see #14411 for reference) but still allows windows to be created through the Rust "backend".

Creating such a PictureInPicture window requires that the child window has a window.location.href of about:blank. Setting any other URL there causes the window to be closed automatically. Any content in this window will be created and controlled from the parent window instance, via Javascript. This causes a problem when the parent window tries to add HTML code that needs to load some kind of static asset, like an image. The webview will try to load this image via a regular HTTP request to http://tauri.localhost, but since it's coming from about:blank, it will be missing a Referer header / Origin.

Tauri will outright refuse serving any local assets to requests without a Referer and immediately terminate the request with a "connection refused".

Reproduction

const child = await window.documentPictureInPicture.requestWindow();
child.document.body.innerHTML = "<img src='http://tauri.localhost/image.png'>";

Expected behavior

The image.png file is loaded properly.

Full tauri info output

> botc-app@3.50.1 tauri
> tauri info


[✔] Environment
    - OS: Solus 4.8.0 x86_64 (X64) (budgie-desktop on x11)
    ✔ webkit2gtk-4.1: 2.50.4
    ✔ rsvg2: 2.61.1
    ✔ rustc: 1.85.0 (4d91de4e4 2025-02-17)
    ✔ cargo: 1.85.0 (d73d2caf9 2024-12-31)
    ✔ rustup: 1.28.1 (f9edccde0 2025-03-05)
    ✔ Rust toolchain: stable-x86_64-unknown-linux-gnu (default)
    - node: 24.0.1
    - npm: 11.3.0
    - deno: deno 2.6.6

[-] Packages
    - tauri 🦀: 2.9.2, (outdated, latest: 2.9.5)
    - tauri-build 🦀: 2.5.1, (outdated, latest: 2.5.3)
    - wry 🦀: 0.53.5, (outdated, latest: 0.54.1)
    - tao 🦀: 0.34.5
    - @tauri-apps/api  ⱼₛ: 2.9.0 (outdated, latest: 2.9.1)
    - @tauri-apps/cli  ⱼₛ: 2.9.2 (outdated, latest: 2.9.6)

[-] Plugins
    - tauri-plugin-dialog 🦀: 2.4.2, (outdated, latest: 2.6.0)
    - @tauri-apps/plugin-dialog  ⱼₛ: 2.4.2 (outdated, latest: 2.6.0)
    - tauri-plugin-os 🦀: 2.3.2
    - @tauri-apps/plugin-os  ⱼₛ: 2.3.2
    - tauri-plugin-shell 🦀: 2.3.3, (outdated, latest: 2.3.4)
    - @tauri-apps/plugin-shell  ⱼₛ: not installed!
    - tauri-plugin-window-state 🦀: 2.4.1
    - @tauri-apps/plugin-window-state  ⱼₛ: 2.4.1
    - tauri-plugin-process 🦀: 2.3.1
    - @tauri-apps/plugin-process  ⱼₛ: 2.3.1
    - tauri-plugin-updater 🦀: 2.9.0
    - @tauri-apps/plugin-updater  ⱼₛ: 2.9.0
    - tauri-plugin-fs 🦀: 2.4.4, (outdated, latest: 2.4.5)
    - @tauri-apps/plugin-fs  ⱼₛ: 2.4.4 (outdated, latest: 2.4.5)

[-] App
    - build-type: bundle
    - CSP: unset
    - frontendDist: ../dist
    - devUrl: http://localhost:8080/
    - framework: Vue.js
    - bundler: Vite

Stack trace

Failed to load resource: net::ERR_CONNECTION_REFUSED

Additional context

It would be great if there was an easy config override for allow empty referers on static asset requests.