Skip to content
Permalink
Browse files

chore: make "nodeIntegration" and "webviewTag" default to false (#16235)

  • Loading branch information
miniak authored and alexeykuzmin committed Jan 7, 2019
1 parent cdf4bfa commit fade3eb67999a11f17a8b64e63653d25f7bfe065
@@ -99,9 +99,9 @@ WebContentsPreferences::WebContentsPreferences(
// Set WebPreferences defaults onto the JS object
SetDefaultBoolIfUndefined(options::kPlugins, false);
SetDefaultBoolIfUndefined(options::kExperimentalFeatures, false);
bool node = SetDefaultBoolIfUndefined(options::kNodeIntegration, true);
SetDefaultBoolIfUndefined(options::kNodeIntegration, false);
SetDefaultBoolIfUndefined(options::kNodeIntegrationInWorker, false);
SetDefaultBoolIfUndefined(options::kWebviewTag, node);
SetDefaultBoolIfUndefined(options::kWebviewTag, false);
SetDefaultBoolIfUndefined(options::kSandbox, false);
SetDefaultBoolIfUndefined(options::kNativeWindowOpen, false);
SetDefaultBoolIfUndefined(options::kContextIsolation, false);
@@ -18,7 +18,6 @@ exports.load = async (appUrl) => {
backgroundColor: '#FFFFFF',
webPreferences: {
contextIsolation: true,
nodeIntegration: false,
preload: path.resolve(__dirname, 'renderer.js'),
webviewTag: false
},
@@ -20,11 +20,7 @@ win.on('closed', () => {
win = null
})
let view = new BrowserView({
webPreferences: {
nodeIntegration: false
}
})
let view = new BrowserView()
win.setBrowserView(view)
view.setBounds({ x: 0, y: 0, width: 300, height: 300 })
view.webContents.loadURL('https://electronjs.org')
@@ -250,8 +250,8 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
`new-window-for-tab` event.
* `webPreferences` Object (optional) - Settings of web page's features.
* `devTools` Boolean (optional) - Whether to enable DevTools. If it is set to `false`, can not use `BrowserWindow.webContents.openDevTools()` to open DevTools. Default is `true`.
* `nodeIntegration` Boolean (optional) - Whether node integration is enabled. Default
is `true`.
* `nodeIntegration` Boolean (optional) - Whether node integration is enabled.
Default is `false`.
* `nodeIntegrationInWorker` Boolean (optional) - Whether node integration is
enabled in web workers. Default is `false`. More about this can be found
in [Multithreading](../tutorial/multithreading.md).
@@ -353,7 +353,7 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
integration disabled. **Note:** This option is currently
experimental.
* `webviewTag` Boolean (optional) - Whether to enable the [`<webview>` tag](webview-tag.md).
Defaults to the value of the `nodeIntegration` option. **Note:** The
Defaults to `false`. **Note:** The
`preload` script configured for the `<webview>` will have node integration
enabled when it is executed so you should ensure remote/untrusted content
is not able to create a `<webview>` tag with a possibly malicious `preload`
@@ -1603,7 +1603,7 @@ removed in future Electron releases.

* `browserView` [BrowserView](browser-view.md). Attach browserView to win.
If there is some other browserViews was attached they will be removed from
this window.
this window.

#### `win.getBrowserView()` _Experimental_

@@ -38,7 +38,7 @@ const parseOption = function (name, defaultValue, converter = value => value) {
}

const contextIsolation = hasSwitch('context-isolation')
let nodeIntegration = hasSwitch('node-integration')
const nodeIntegration = hasSwitch('node-integration')
const webviewTag = hasSwitch('webview-tag')
const isHiddenPage = hasSwitch('hidden-page')
const isBackgroundPage = hasSwitch('background-page')
@@ -64,14 +64,11 @@ if (contextIsolation) {
if (window.location.protocol === 'chrome-devtools:') {
// Override some inspector APIs.
require('@electron/internal/renderer/inspector')
nodeIntegration = false
} else if (window.location.protocol === 'chrome-extension:') {
// Add implementations of chrome API.
require('@electron/internal/renderer/chrome-api').injectTo(window.location.hostname, isBackgroundPage, window)
nodeIntegration = false
} else if (window.location.protocol === 'chrome:') {
// Disable node integration for chrome UI scheme.
nodeIntegration = false
} else {
// Override default web functions.
require('@electron/internal/renderer/window-setup')(ipcRenderer, guestInstanceId, openerId, isHiddenPage, usesNativeWindowOpen)
@@ -33,7 +33,10 @@ describe('electron module', () => {
window = new BrowserWindow({
show: false,
width: 400,
height: 400
height: 400,
webPreferences: {
nodeIntegration: true
}
})
})

@@ -299,7 +302,12 @@ describe('app module', () => {
password: 'electron'
}

w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})

w.webContents.on('did-finish-load', () => {
expect(w.webContents.getTitle()).to.equal('authorized')
@@ -376,7 +384,12 @@ describe('app module', () => {
expect(webContents).to.equal(w.webContents)
done()
})
w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})
w.loadURL('about:blank')
w.webContents.executeJavaScript(`require('electron').desktopCapturer.getSources({ types: ['screen'] }, () => {})`)
})
@@ -387,7 +400,12 @@ describe('app module', () => {
expect(moduleName).to.equal('test')
done()
})
w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})
w.loadURL('about:blank')
w.webContents.executeJavaScript(`require('electron').remote.require('test')`)
})
@@ -398,7 +416,12 @@ describe('app module', () => {
expect(globalName).to.equal('test')
done()
})
w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})
w.loadURL('about:blank')
w.webContents.executeJavaScript(`require('electron').remote.getGlobal('test')`)
})
@@ -591,6 +614,7 @@ describe('app module', () => {
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true,
partition: 'empty-certificate'
}
})

0 comments on commit fade3eb

Please sign in to comment.
You can’t perform that action at this time.