disable the remote module in devtools renderers

electron · Feb 1, 2019 · a626020 · a626020
1 parent be2feae
commit a626020
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 14 deletions.
diff --git a/atom/browser/api/atom_api_web_contents.cc b/atom/browser/api/atom_api_web_contents.cc
@@ -2009,6 +2009,9 @@ v8::Local<v8::Value> WebContents::GetLastWebPreferences(
 }
 
 bool WebContents::IsRemoteModuleEnabled() const {
+  if (web_contents()->GetVisibleURL().SchemeIs("chrome-devtools")) {
+    return false;
+  }
   if (auto* web_preferences = WebContentsPreferences::From(web_contents())) {
     return web_preferences->IsRemoteModuleEnabled();
   }

diff --git a/lib/browser/api/web-contents.js b/lib/browser/api/web-contents.js
@@ -365,17 +365,6 @@ const addReturnValueToEvent = (event) => {
   })
 }
 
-const safeProtocols = new Set([
-  'chrome-devtools:',
-  'chrome-extension:'
-])
-
-const isWebContentsTrusted = function (contents) {
-  const pageURL = contents._getURL()
-  const { protocol } = url.parse(pageURL)
-  return safeProtocols.has(protocol)
-}
-
 // Add JavaScript wrappers for WebContents class.
 WebContents.prototype._init = function () {
   // The navigation controller.
@@ -436,9 +425,7 @@ WebContents.prototype._init = function () {
 
   for (const eventName of forwardedEvents) {
     this.on(eventName, (event, ...args) => {
-      if (!isWebContentsTrusted(event.sender)) {
-        app.emit(eventName, event, this, ...args)
-      }
+      app.emit(eventName, event, this, ...args)
     })
   }