webview.preload fails when webSecurity is disabled

[romaincointepas]

• Electron version: 1.2.0
• Operating system: OS X 10.11.5

webview preload attribute seems to be broken in Electron 1.2.0/Chrome 51 (worked with 1.1.3/Chrome 50).

Here is how I used it (successfully) on versions prior to 1.2.0:
@webview.preload = "file://#{app.getAppPath()}/js/player-preload.js"

Tried to put it in the HTML webview tag directly as attribute, same thing.

Note: No error in the Console though, it's just that the script is never actually executed.

[kevinsawicki]

@romaincointepas can you share the options you are passing to the BrowserWindow constructor for the window containing the webview?

[romaincointepas]

Sure, here it is:

win = new BrowserWindow(
    x: winState.x
    y: winState.y
    width: winState.width
    height: winState.height
    show: false
    backgroundColor: '#101010'
    titleBarStyle: 'hidden'
    webPreferences:
      plugins: true
      allowDisplayingInsecureContent: true
  )

[kevinsawicki]

Hmm, having trouble reproducing this with the following app:

main.js

const {app, BrowserWindow} = require('electron')
let window
app.on('ready', function () {
  window = new BrowserWindow({
    width: 200,
    height: 200,
    show: true
  })
  window.loadURL('file://' + __dirname + '/page.html')
})

page.html

<body>
  <webview preload="preload.js" src="wv.html" style="display:inline-flex; width:640px; height:480px"></webview>
</body>

wv.html

<body>
  <script>document.write('preload time? ' + window.preloaded)</script>
</body>

preload.js

window.preloaded = Date.now()

It currently shows the value at launch, any differences in your app that you can think of that might help me reproduce this?

[romaincointepas]

How do you not get the error Only "file:" protocol is supported in "preload" attribute. in the Console when not using file: in the preload attribute?

[kevinsawicki]

How do you not get the error Only "file:" protocol is supported in "preload" attribute. in the Console when not using file: in the preload attribute?

Not sure, do you have any other attributes set on your <webview> tag?

[romaincointepas]

<webview id="player-webview" src="data:text/plain,_" preload="preload.js" disablewebsecurity plugins></webview>

src="data:text/plain,_" seems to be the problem, weird. When I remove it, no error in the console.

Also definitely worth noting, the BrowserWindow is loading a remote html page that has the webview tag (that's why I use app.getAppPath(), as the preload script is local).

[kjlaw89]

I'm running into this same issue. I ran a few tests and determined a few things:

1. It appears setting "disablewebsecurity" kills the preload scripts. In my case I have to set this flag if I want to be able to load PDFs in my application (though I'm working on a more native way to do this but haven't figured one out yet)
2. When I get rid of disablewebsecurity the preload script starts working again, but some web requests fail to go through. i.e., clicking a link on a website does nothing. When disablewebsecurity is active, the preload scripts don't load but I can navigate around just fine.

[kjlaw89]

Okay, I did a little extra research and can elaborate more on #2. When disablewebsecurity is removed, the preload script will load and execute just fine. It appears that using remote.getGlobal at any point (and apparently just a normal alert()) will keep the page from following any links. You don't even need to do anything with the global variable you got, you just need to pull one in for page navigation to break.

I verified that the browser does still recognize the attempt to navigate as I'm watching session.webRequest.onBeforeSendHeaders and it does show the URL/Headers of the link I clicked, but it never navigates or loads any of the resources.

[marbemac]

We can confirm the same behavior @kjlaw89 is describing. Preload script breaks/doesn't load in 1.2 when webSecurity is set to false.

[kevinsawicki]

This looks similar to #5712 where webSecurity affects script loading

[zcbenz]

I'm merging this to #5712 since they are essentially the same bug.