From 57bb2e9fb3bb565d3f9c887c64aec60fc4a9c854 Mon Sep 17 00:00:00 2001
From: Cheng Zhao <zcbenz@gmail.com>
Date: Fri, 12 Oct 2018 15:50:40 +0900
Subject: [PATCH] fix: do not enable node integration in child window if not
 enabled

---
 atom/browser/web_contents_preferences.cc |  4 ++++
 atom/renderer/atom_renderer_client.cc    | 10 ++++++++++
 vendor/libchromiumcontent                |  2 +-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/atom/browser/web_contents_preferences.cc b/atom/browser/web_contents_preferences.cc
index e6bf71fb685ce..4a8fb10f95a41 100644
--- a/atom/browser/web_contents_preferences.cc
+++ b/atom/browser/web_contents_preferences.cc
@@ -331,6 +331,10 @@ void WebContentsPreferences::OverrideWebkitPrefs(
   std::string encoding;
   if (dict_.GetString("defaultEncoding", &encoding))
     prefs->default_encoding = encoding;
+
+  bool node_integration = false;
+  dict_.GetBoolean(options::kNodeIntegration, &node_integration);
+  prefs->node_integration = node_integration;
 }
 
 bool WebContentsPreferences::GetInteger(const base::StringPiece& attribute_name,
diff --git a/atom/renderer/atom_renderer_client.cc b/atom/renderer/atom_renderer_client.cc
index 204f17c2cf0d2..b4521998d4656 100644
--- a/atom/renderer/atom_renderer_client.cc
+++ b/atom/renderer/atom_renderer_client.cc
@@ -16,6 +16,7 @@
 #include "atom/renderer/atom_render_frame_observer.h"
 #include "atom/renderer/web_worker_observer.h"
 #include "base/command_line.h"
+#include "content/public/common/web_preferences.h"
 #include "content/public/renderer/render_frame.h"
 #include "native_mate/dictionary.h"
 #include "third_party/WebKit/public/web/WebDocument.h"
@@ -86,6 +87,15 @@ void AtomRendererClient::DidCreateScriptContext(
   if (!render_frame->IsMainFrame() && !IsDevToolsExtension(render_frame))
     return;
 
+  // Don't allow node integration if this is a child window and it does not have
+  // node integration enabled.  Otherwise we would have memory leak in the child
+  // window since we don't clean up node environments.
+  //
+  // TODO(zcbenz): We shouldn't allow node integration even for the top frame.
+  if (!render_frame->GetWebkitPreferences().node_integration &&
+      render_frame->GetWebFrame()->Opener())
+    return;
+
   injected_frames_.insert(render_frame);
 
   // Prepare the node bindings.
diff --git a/vendor/libchromiumcontent b/vendor/libchromiumcontent
index 42e375e8b0bf4..73dcb51d27d18 160000
--- a/vendor/libchromiumcontent
+++ b/vendor/libchromiumcontent
@@ -1 +1 @@
-Subproject commit 42e375e8b0bf4d7e030237adbb9cf7122d9f3246
+Subproject commit 73dcb51d27d18fc242279ae9ccf323bb304c93ae