fix: disable nodeIntegration & insecure resource warnings for localhost

[jerry1100]

Description of Change

This PR removes the "node integration with remote content" and "loading insecure content" warning messages when loading from localhost.

A lot of electron projects use webpack-dev-server for development, which involves "remote" content being loaded over an insecure connection from localhost, resulting in at least two warning messages in the console.

The warning messages are annoying and they confuse people. Worst, they can actually be counterproductive as people are resorting to disabling the security check just to get rid of the warnings, which means they won't see them when it really matters.

Note: I explicitly chose not to test against 127.0.0.1 because although it should be the same as localhost, the latter is much more prevalent. Also, that would break a lot of tests.

Other changes:

• added isLocalhost() to check if the current window's hostname is localhost
• also ignoring enabled remote module with remote content when loading from localhost

Checklist

• npm test passes (I'm having issues with setting up the project, I'll leave it up to CI)
• tests are changed or added
• PR title follows semantic commit guidelines
• PR release notes describe the change in a way relevant to app developers, and are capitalized, punctuated, and past tense.

Release Notes

Notes: "Node integration with remote content" and "loading insecure content" warning messages are suppressed for localhost connections.

[welcome]

💖 Thanks for opening this pull request! 💖

We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix.

Examples of commit messages with semantic prefixes:

• fix: don't overwrite prevent_default if default wasn't prevented
• feat: add app.isPackaged() method
• docs: app.isDefaultProtocolClient is now available on Linux

Things that will help get your PR across the finish line:

• Follow the JavaScript, C++, and Python coding style.
• Run npm run lint locally to catch formatting errors earlier.
• Document any user-facing changes you've made following the documentation styleguide.
• Include tests when adding/changing behavior.
• Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

[jerry1100]

Looks like the tests are failing.

"Node integration with remote content" is failing because it's waiting for a console message that never comes (since it's suppressed). I'm not sure how to test this but here are some ideas:

1. Keep the console-message listener and add a did-finish-load listener that will pass the test. The idea is that the warning, if it were to come, will come before the did-finish-load event. Not sure if that's guaranteed to be the case though.
2. Pass the test after a fixed amount of time. Perhaps 10s? Something way longer than it would take the warning to show.

not ok 1124 security warnings should not warn about Node.js integration with remote content from localhost
  Error: Timeout of 30000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves. (C:\projects\src\electron\spec\security-warnings-spec.js)
      at Test.Runnable._timeoutError (C:\projects\src\electron\spec\node_modules\mocha\lib\runnable.js:440:10)
      at C:\projects\src\electron\spec\node_modules\mocha\lib\runnable.js:251:24

"Loading insecure resources" is failing because the resource that's being loaded (which is correctly filtered) is loading a stylesheet from 127.0.0.1, which is not === 'localhost', and thus the warning message shows. To get around this, we can remove the stylesheet since it's redundant to have two insecure resources for testing.

not ok 1132 security warnings without sandbox should not warn about insecure resources from localhost
  AssertionError: expected '%cElectron Security Warning (Insecure Resources)' to not include 'Insecure Resources'
      at C:\projects\src\electron\spec\security-warnings-spec.js:210:34
      at CallbacksRegistry.apply (electron/js2c/renderer_init.js:1752:29)
      at electron/js2c/renderer_init.js:1553:21
      at EventEmitter.<anonymous> (electron/js2c/renderer_init.js:1543:7)
      at EventEmitter.emit (events.js:194:13)
      at Object.onMessage (electron/js2c/renderer_init.js:2343:16)

[jerry1100]

For the "node integration with remote content" test, I opted in for using did-finish-load since I didn't like the idea of using a fixed delay. However, like I mentioned in my above post, this runs the risk of passing early if did-finish-load gets fired before console-message (though in my testing it does not).

For the "Loading insecure resources" test, I modified the test to check that the resource it's loading from localhost is not included in the warning message.

[jerry1100]

An unrelated test failed. Does someone mind restarting it?

[MarshallOfSound]

@jerry1100

Error: No valid signing identity available to run autoUpdater specs

That spec failure is expected at the moment for fork PRs, we're working on making it work for PRs from forks but for now that failure is expected and ok 👍

[zcbenz]

Would like to hear more voices from @electron/wg-security before merging.

[jerry1100]

Made some minor updates:

1. Added isLocalhost() to reduce code duplication
2. Handled the newly added "enabled remote module with remote content" warning

[jerry1100]

Bump. Any input from @electron/wg-security?

[felixrieseberg]

Hi, here from the security wg. I'm okay with this, this seems like a solid change that doesn't undermine the spirit of warning people when they're about to shoot themselves in the foot.

[MarshallOfSound]

The only case this will stop warning about but is still valid is folks creating a localhost server to serve content in production. But that's a separate problem that this warning isn't attempting to prevent so 👍 from me

[release-clerk]

Release Notes Persisted

"Node integration with remote content" and "loading insecure content" warning messages are suppressed for localhost connections.