Merge pull request #5559 from electron/disable-webview

Disable webview when nodeIntegration is off
electron · May 18, 2016 · 397d0e3 · 397d0e3
2 parents 27da0f3 + 7ce87c4
commit 397d0e3
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 41 deletions.
diff --git a/docs/api/web-view-tag.md b/docs/api/web-view-tag.md
@@ -12,6 +12,9 @@ app. It doesn't have the same permissions as your web page and all interactions
 between your app and embedded content will be asynchronous. This keeps your app
 safe from the embedded content.
 
+For security purpose, `webview` can only be used in `BrowserWindow`s that have
+`nodeIntegration` enabled.
+
 ## Example
 
 To embed a web page in your app, add the `webview` tag to your app's embedder

diff --git a/lib/browser/guest-view-manager.js b/lib/browser/guest-view-manager.js
@@ -183,10 +183,6 @@ var attachGuest = function (embedder, elementInstanceId, guestInstanceId, params
     blinkFeatures: params.blinkfeatures
   }
 
-  if (embedder.getWebPreferences().nodeIntegration === false) {
-    webPreferences.nodeIntegration = false
-  }
-
   if (params.preload) {
     webPreferences.preloadURL = params.preload
   }

diff --git a/lib/renderer/init.js b/lib/renderer/init.js
@@ -70,7 +70,7 @@ if (window.location.protocol === 'chrome-devtools:') {
   require('./override')
 
   // Load webview tag implementation.
-  if (process.guestInstanceId == null) {
+  if (nodeIntegration === 'true' && process.guestInstanceId == null) {
     require('./web-view/web-view')
     require('./web-view/web-view-attributes')
   }

diff --git a/spec/fixtures/module/preload-webview.js b/spec/fixtures/module/preload-webview.js
@@ -0,0 +1,5 @@
+const {ipcRenderer} = require('electron')
+
+window.onload = function () {
+  ipcRenderer.send('webview', typeof WebView)
+}
diff --git a/spec/webview-spec.js b/spec/webview-spec.js
@@ -8,7 +8,9 @@ describe('<webview> tag', function () {
   this.timeout(20000)
 
   var fixtures = path.join(__dirname, 'fixtures')
+
   var webview = null
+  let w = null
 
   beforeEach(function () {
     webview = new WebView()
@@ -18,17 +20,38 @@ describe('<webview> tag', function () {
     if (document.body.contains(webview)) {
       document.body.removeChild(webview)
     }
+    if (w) {
+      w.destroy()
+      w = null
+    }
   })
 
   it('works without script tag in page', function (done) {
-    let w = new BrowserWindow({show: false})
+    w = new BrowserWindow({show: false})
     ipcMain.once('pong', function () {
-      w.destroy()
       done()
     })
     w.loadURL('file://' + fixtures + '/pages/webview-no-script.html')
   })
 
+  it('is disabled when nodeIntegration is disabled', function (done) {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        nodeIntegration: false,
+        preload: path.join(fixtures, 'module', 'preload-webview.js')
+      },
+    })
+    ipcMain.once('webview', function (event, type) {
+      if (type === 'undefined') {
+        done()
+      } else {
+        done('WebView still exists')
+      }
+    })
+    w.loadURL('file://' + fixtures + '/pages/webview-no-script.html')
+  })
+
   describe('src attribute', function () {
     it('specifies the page to load', function (done) {
       webview.addEventListener('console-message', function (e) {
@@ -84,40 +107,6 @@ describe('<webview> tag', function () {
       document.body.appendChild(webview)
     })
 
-    it('disables node integration when disabled on the parent BrowserWindow', function (done) {
-      var b = undefined
-
-      ipcMain.once('answer', function (event, typeofProcess) {
-        try {
-          assert.equal(typeofProcess, 'undefined')
-          done()
-        } finally {
-          b.close()
-        }
-      })
-
-      var windowUrl = require('url').format({
-        pathname: `${fixtures}/pages/webview-no-node-integration-on-window.html`,
-        protocol: 'file',
-        query: {
-          p: `${fixtures}/pages/web-view-log-process.html`
-        },
-        slashes: true
-      })
-      var preload = path.join(fixtures, 'module', 'answer.js')
-
-      b = new BrowserWindow({
-        height: 400,
-        width: 400,
-        show: false,
-        webPreferences: {
-          preload: preload,
-          nodeIntegration: false,
-        }
-      })
-      b.loadURL(windowUrl)
-    })
-
     it('disables node integration on child windows when it is disabled on the webview', function (done) {
       app.once('browser-window-created', function (event, window) {
         assert.equal(window.webContents.getWebPreferences().nodeIntegration, false)