Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix: do not enable node integration in child window if not enabled
  • Loading branch information
zcbenz committed Oct 12, 2018
1 parent eb8546c commit 57bb2e9
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 1 deletion.
4 changes: 4 additions & 0 deletions atom/browser/web_contents_preferences.cc
Expand Up @@ -331,6 +331,10 @@ void WebContentsPreferences::OverrideWebkitPrefs(
std::string encoding;
if (dict_.GetString("defaultEncoding", &encoding))
prefs->default_encoding = encoding;

bool node_integration = false;
dict_.GetBoolean(options::kNodeIntegration, &node_integration);
prefs->node_integration = node_integration;
}

bool WebContentsPreferences::GetInteger(const base::StringPiece& attribute_name,
Expand Down
10 changes: 10 additions & 0 deletions atom/renderer/atom_renderer_client.cc
Expand Up @@ -16,6 +16,7 @@
#include "atom/renderer/atom_render_frame_observer.h"
#include "atom/renderer/web_worker_observer.h"
#include "base/command_line.h"
#include "content/public/common/web_preferences.h"
#include "content/public/renderer/render_frame.h"
#include "native_mate/dictionary.h"
#include "third_party/WebKit/public/web/WebDocument.h"
Expand Down Expand Up @@ -86,6 +87,15 @@ void AtomRendererClient::DidCreateScriptContext(
if (!render_frame->IsMainFrame() && !IsDevToolsExtension(render_frame))
return;

// Don't allow node integration if this is a child window and it does not have
// node integration enabled. Otherwise we would have memory leak in the child
// window since we don't clean up node environments.
//
// TODO(zcbenz): We shouldn't allow node integration even for the top frame.
if (!render_frame->GetWebkitPreferences().node_integration &&
render_frame->GetWebFrame()->Opener())
return;

injected_frames_.insert(render_frame);

// Prepare the node bindings.
Expand Down

0 comments on commit 57bb2e9

Please sign in to comment.