-
Notifications
You must be signed in to change notification settings - Fork 15k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: disable nodeIntegration & insecure resource warnings for localhost #18814
Conversation
💖 Thanks for opening this pull request! 💖 We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix. Examples of commit messages with semantic prefixes:
Things that will help get your PR across the finish line:
We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can. |
Looks like the tests are failing. "Node integration with remote content" is failing because it's waiting for a console message that never comes (since it's suppressed). I'm not sure how to test this but here are some ideas:
"Loading insecure resources" is failing because the resource that's being loaded (which is correctly filtered) is loading a stylesheet from
|
For the "node integration with remote content" test, I opted in for using For the "Loading insecure resources" test, I modified the test to check that the resource it's loading from localhost is not included in the warning message. |
An unrelated test failed. Does someone mind restarting it? |
That spec failure is expected at the moment for fork PRs, we're working on making it work for PRs from forks but for now that failure is expected and ok 👍 |
Would like to hear more voices from @electron/wg-security before merging. |
In warnAboutNodeWithRemoteContent(), add a check to see if the hostname is "localhost" and prevent the warning message if it is.
In warnAboutInsecureResources(), filter out resources from localhost since they are most likely not a threat.
Add tests for ignoring warning messages for the following scenarios: 1. node integration with remote content from localhost 2. loading insecure resources from localhost
Instead of relying on the "did-finish-load" event, which may result in a race condition, add an "onload" handler that logs "loaded" to the console. This will execute _after_ the nodeIntegration check, so it can be safely used as a signal to indicate that the test is done.
Made some minor updates:
|
Bump. Any input from @electron/wg-security? |
Hi, here from the security wg. I'm okay with this, this seems like a solid change that doesn't undermine the spirit of warning people when they're about to shoot themselves in the foot. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only case this will stop warning about but is still valid is folks creating a localhost server to serve content in production. But that's a separate problem that this warning isn't attempting to prevent so 👍 from me
Release Notes Persisted
|
Description of Change
This PR removes the "node integration with remote content" and "loading insecure content" warning messages when loading from localhost.
A lot of electron projects use webpack-dev-server for development, which involves "remote" content being loaded over an insecure connection from localhost, resulting in at least two warning messages in the console.
The warning messages are annoying and they confuse people. Worst, they can actually be counterproductive as people are resorting to disabling the security check just to get rid of the warnings, which means they won't see them when it really matters.
Note: I explicitly chose not to test against
127.0.0.1
because although it should be the same aslocalhost
, the latter is much more prevalent. Also, that would break a lot of tests.Other changes:
isLocalhost()
to check if the current window's hostname is localhostChecklist
npm test
passes (I'm having issues with setting up the project, I'll leave it up to CI)Release Notes
Notes: "Node integration with remote content" and "loading insecure content" warning messages are suppressed for localhost connections.